Comment by MatthewWilkes
14 hours ago
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
14 hours ago
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
I think I'd personally develop a minimal patch and then publically disclose.
I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.
Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.