[ori_b]

Incorrect. They had explicit permission from the researcher involved to commit when they did. Here's the full discussion, if you want to read it yourself.

https://marc.info/?l=openbsd-tech&m=152909822107104&w=2

More directly, from the KRACK FAQ: As a compromise, I allowed them to silently patch the vulnerability.

https://www.krackattacks.com/#openbsd

It's also worth noting that Microsoft violated the embargo as well: On this topic, it is also worthwhile to mention that Microsoft pushed their fixes on patch Tuesday on 10 October 2016 [1]. That's before the agreed disclosure deadline, albeit quite close in time.

Quite rightly, nobody is suggesting that nearly a decade later, we should be keeping Microsoft off responsible disclosures as a consequence.

[loeg]

I mean, I just disagree with that interpretation of 2018 events. The embargo deadline was extended, OpenBSD violated that. They refused to play ball with the coordinated extension. The researcher is orthogonal to that. Their actions in 2018 are certainly not universally celebrated as a good way to participate in an embargo.

[wbl]

You don't get to extend an embargo unilaterally. Now that there's a new uniform 90 days the conversation looks different.

[ori_b]

They asked for permission from the coordinator and got it. It's that simple. There's nothing open to interpretation here.

The next time you coordinate a disclosure, you can run it differently.

[ksec]

Why do people blame OpenBSD but not the coordinator is beyond me.

[loeg]

This subject of this article is OpenBSD; it's reasonable to be discussing OpenBSD. I'm not saying that guy is blameless.