No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. https://copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. https://copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
It’s technically still a dick move unless it’s seen in the wild and distros are dragging their heels.
Sometimes it’s best to use logic instead of best practices.