@WPalant I've also seen security advisories published before there's even a patch, in some cases—when there's a workaround, and the patch will take a while to produce.
Unless the vendor has been given ample time to fix their shit and has done nothing, the disclosure should await the fix.
@ScottMortimer That's the assumption in the question - that disclosure happens after the fix, probably considerably later.
@WPalant Before I comment: I don't judge any researchers for how they choose to disclose. Everyone has their reasons. IMO the disclosure is partly to inform users, partly to publicise the vulnerability so the industry can move forward and maybe stop making that mistake. I think there's value in letting "most" users patch before dropping complete details.
@tk A security advisory is published by the vendor, not by the researcher.
@WPalant Okay, for that specifically - both user safety and PR. They're inseparable.
A Mastodon instance for info/cyber security-minded people.