Well, at least one time I found a bug in OpenBSD, told NetBSD, then looked at their fix and discovered our fix was incomplete because my regress had a false negative. But up until that moment I was pretty confident about our fix.
I think that's sort of a pattern. Vendor X is affected by a POC, so they fix the issue. They then develop more tests. Vendor Y concludes they are not affected, perhaps based on a false negative test, and fails to investigate further. Now X understands more about the true scope of the problem than Y and they have tests to demonstrate on Y, but Y does not.
I think that's sort of a pattern. Vendor X is affected by a POC, so they fix the issue. They then develop more tests. Vendor Y concludes they are not affected, perhaps based on a false negative test, and fails to investigate further. Now X understands more about the true scope of the problem than Y and they have tests to demonstrate on Y, but Y does not.