I read the email thread, and stsp's comments on Lobsters. I get that there's a grudging agreement on both sides that OpenBSD can't abide by long embargoes, and will simply get notified later in the process when those are expected. That seems like a fine outcome, and not a cause to dunk on a researcher for having a "secret club".
I would dispute the idea that OpenBSD is being punished here, based on the information that's been made public. OpenBSD argued explicitly and repeatedly that embargoed early access to vulnerabilities put them in an untenable position. Both sides of this controversy have, effectively, agreed to delay disclosure to OpenBSD.
I read the email thread, and stsp's comments on Lobsters. I get that there's a grudging agreement on both sides that OpenBSD can't abide by long embargoes, and will simply get notified later in the process when those are expected. That seems like a fine outcome, and not a cause to dunk on a researcher for having a "secret club".
Like I said upthread:
> I think simply pushing back against the length of an embargo should not be characterized as breaking an embargo.
I didn’t like the “secret club” comment either.
I would dispute the idea that OpenBSD is being punished here, based on the information that's been made public. OpenBSD argued explicitly and repeatedly that embargoed early access to vulnerabilities put them in an untenable position. Both sides of this controversy have, effectively, agreed to delay disclosure to OpenBSD.