Comment by haukem
4 years ago
I think such long embargoes are bad.
Embargoes prevent that the average cyber criminal knows about the problems, but the resourceful organizations already get the information before the public knows about them. I think even 90 days are pretty long.
For example 253 vendors were informed about the problem in dnsmasq about 3 months before it was published: https://www.kb.cert.org/vuls/id/434904 (all vendors listed here were informed) In each organization probably multiple people know about this.
Long embargoes only give companies cover to continue to not prioritize security or responding to security issues in a timely manner.
That we have had embargo processes for decades is utterly ridiculous. It's time for these vulnerabilities - especially for the ones that literally break everything - to be treated with the urgency they should be.