> On Oct 29, 2021, at 5:26 PM, Nick Hilliard <n...@foobar.org> wrote: > > Because this didn't happen, we now get to look forward to a weekend of > elevated risk, followed by people upending their calendars to handle > un-coordinated upgrades on monday morning.
That only happens if the team has the time to get the fix into the code, tested, validated, regressed, and deployed. I would say this is a classic example of “ego” to publish overruling established principles. The University of Twente should explore requiring classes for responsible disclosure. NCSC, it seems you threw out your own policy: "The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.” I would have expected you to council the researchers on responsible disclosure principles.
signature.asc
Description: Message signed with OpenPGP
