Erm, did you read them? The policies aren’t complex at all, just submit the issue (and proposed fix if there is one) through a secure channel, that they’re happy to help set up. If you want to disclose the vulnerability, just wait until the embargo passes so there’s time to fix and have users update. There’s not really anything else you need to do here. This is pretty standard stuff that this person just seemed too lazy to participate in.
Of the three fixes submitted, only a single one was closed since it didn’t seem very major and would be a breaking change (which shouldn’t be made without prior discussion). The other two are still open, and a maintainer is helping to add tests for the fixes (since the author didn’t add them). The only comment that was somewhat negative was that security fixes should preferably follow the established guidelines. That’s all.
Erm, did you read them? The policies aren’t complex at all, just submit the issue (and proposed fix if there is one) through a secure channel, that they’re happy to help set up. If you want to disclose the vulnerability, just wait until the embargo passes so there’s time to fix and have users update. There’s not really anything else you need to do here. This is pretty standard stuff that this person just seemed too lazy to participate in.
Of the three fixes submitted, only a single one was closed since it didn’t seem very major and would be a breaking change (which shouldn’t be made without prior discussion). The other two are still open, and a maintainer is helping to add tests for the fixes (since the author didn’t add them). The only comment that was somewhat negative was that security fixes should preferably follow the established guidelines. That’s all.