Comment by rustyhancock

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.