Comment by _Nat_

I appreciate the distaste for a security-vulnerability being sat on for so long. However, the appropriateness of a long-embargo would seem like a bigger topic.

That said, about being sitting ducks.. dunno how much the situation really changes like that. For example, was this really unknown before this particular discovery? And what other vulnerabilities aren't currently being reported, whether under embargo or not?

Seems like users ought to have reasonable expectations about how secure popularly practiced technology is. If someone believed that a vulnerability like this wasn't a possibility, then they may need to update their expectations.