[willk]

It feels like they waited a long time to post an advisory for an exploit that was being actively used by threat actors, more than a week after they pushed a fix to their repositories. Why not give customers a heads up prior? At least give your users a fighting chance.

[panarky]

> The patch for the vulnerability was pushed to Github on July 5. Another actor exploited the vulnerability for a full two weeks beginning on July 11 before the official patch became available on July 25.

What's the point of a responsible disclosure embargo policy when the enterprise software developer alerts threat actors of the precise vuln three full weeks before they even begin to patch their customers' systems?