Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it.
A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability.
False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”.
Companies will be left with their pants on fire if they don’t act, too, but it will cost them more.
Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.
Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability. False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too, but it will cost them more. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.