[ziddoap]

>Hundreds of thousands, if not millions. The nature of the device has been heavily redacted to protect the guilty.

This is rather annoying, and sort of the whole point of responsible disclosure.

Disclose the vulnerability to the company, and at some predetermined amount of time later spill the beans, including the vendor.

If the company does not want to fix it, the people using the products deserve to know that and make their decision (dump the product, live with the risk, etc.). Or the company fixes it, and people are happy.

[vixentael]

A valid point. But responsible disclosure in the world of un-patchable devices that actually move and can cause physical harm once pwned feels a little bit different. While we've done things to mitigate a blast radius, publicising guilty names would still lead to lots of damage because you know, these are toy cars.

[ziddoap]

I am the only one who knows my risk tolerance and threat model. I do not appreciate when other researchers think that they know my tolerance and threat model better than I do.

The only reason not to release names after a reasonable responsible disclosure timeframe is because the researchers somehow think they are the only ones that will ever find that flaw. Pure hubris. Some malicious person will eventually find those same flaws, and then I'm fucked without being given the opportunity to evaluate whether or not I want to risk getting fucked.