Comment by Dah00n
4 years ago
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
I think such long embargoes are bad.
Embargoes prevent that the average cyber criminal knows about the problems, but the resourceful organizations already get the information before the public knows about them. I think even 90 days are pretty long.
For example 253 vendors were informed about the problem in dnsmasq about 3 months before it was published: https://www.kb.cert.org/vuls/id/434904 (all vendors listed here were informed) In each organization probably multiple people know about this.
Long embargoes only give companies cover to continue to not prioritize security or responding to security issues in a timely manner.
That we have had embargo processes for decades is utterly ridiculous. It's time for these vulnerabilities - especially for the ones that literally break everything - to be treated with the urgency they should be.