Comment by tuananh
2 days ago
> One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication.
curious why now. should they public it last year after 90-day disclosure window ended?
They can publish it whenever they want. There's no actual rules about this stuff. The 90 window is a courtesy.
Specifically, there are responsible disclosure guidelines that came about to deal with the problem of people dropping 0day on a vendor with no prior warning. So the 90 days is a commonly-accepted amount of time to give a vendor to produce a fix. If the vendor needs more time they can request that the submitter give them an extension, although in this case it appears the vendor never responded, thus the repeated entries in the timeline saying "tried to contact vendor, no response" to show they tried to do the right thing.
No there aren't. "Responsible disclosure" is an Orwellian term invented by vendors to create the idea that publishing independent research without vendor permission is "irresponsible". It is absolutely not the case that researchers owe anybody 90 days, or are obligated to honor requests for extensions. Project Zero, which invented the 90-day-plus-extension system, does that as a courtesy.
The 90-day disclosure window is an arbitrary courtesy, not a binding contract about the behavior of either party. They probably had other things to do.