[junon]

That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.

[justinclift]

That kind of approach leads to the party which broke ranks this time, not being included in confidential things in future.

Along the lines of "they've proven they can't be trusted", kind of thing.

[junon]

I don't agree they broke ranks. The 6am date was for the curl project itself.

[justinclift]

Probably depends on whether Red Hat was party to privileged info as part of a co-ordinated release for this. Personally, I have no idea.

[junon]

I'd be surprised if not, but even then, it's not clear if the time was a requirement set by the cURL team at all for projects that aren't cURL.

[samueloph]

RedHat is one of the subscribers of the mailing list where the CVE details were sent under embargo, so yes, they were bound to that and broke the embargo 13 hours earlier than the lift date.