As such, when should a security advisory be published?
@WPalant I've also seen security advisories published before there's even a patch, in some cases—when there's a workaround, and the patch will take a while to produce.
Unless the vendor has been given ample time to fix their shit and has done nothing, the disclosure should await the fix.
@ScottMortimer That's the assumption in the question - that disclosure happens after the fix, probably considerably later.
A Mastodon instance for info/cyber security-minded people.