I believe they were already frustrated by the responses to the fixes they did submit.
I get the frustration. It is how many big companies avoid responsibility, but that’s usually to avoid cost on actually fixing stuff. In a FOSS project, what’s the point of rejecting a simple fix because some complex process meant for complex issues in proprietary software that the security researcher can’t suggest specific fixes for wasn’t followed. Why fill out a bunch of “paperwork” and initiate a long embargo period before a fix is considered when the fix is already submitted and is simple enough and low risk and impact enough to not require more that a cursory review. It’s like asking a road engineer who sees a small pothole that only damages a few cars a year and offers to fill it because they are often affected by it to file a superior court case in order to report it, much less fix it.
So, it’s a matter of, give up because it’s too much of a burden to report, or announce in the most ethical way possible to incentivize fixes actually happening.
I believe they were already frustrated by the responses to the fixes they did submit.
I get the frustration. It is how many big companies avoid responsibility, but that’s usually to avoid cost on actually fixing stuff. In a FOSS project, what’s the point of rejecting a simple fix because some complex process meant for complex issues in proprietary software that the security researcher can’t suggest specific fixes for wasn’t followed. Why fill out a bunch of “paperwork” and initiate a long embargo period before a fix is considered when the fix is already submitted and is simple enough and low risk and impact enough to not require more that a cursory review. It’s like asking a road engineer who sees a small pothole that only damages a few cars a year and offers to fill it because they are often affected by it to file a superior court case in order to report it, much less fix it.
So, it’s a matter of, give up because it’s too much of a burden to report, or announce in the most ethical way possible to incentivize fixes actually happening.