[freeopinion]

I'm inclined to agree. I'm not comfortable with the way this unfolded.

> The Dutch NCSC (NCSC-NL) was informed in December 2021, after which meetings were held with the law enforcement and intelligence communities, as well as with ETSI and the vendors. Shortly afterwards, on 2 February 2022, preliminary advice was distributed to the various stakeholders and CERTs. The remainder of 2022 and the first half of 2023 were used for coordination and advisory sessions with stake­holders, allowing manufacturers to come up with firmware patches, updates or workarounds.

This reads to me as if malicious parties were notified some 18 months before users were notified.

[actionfromafar]

Depends on who the stakeholders were.

[freeopinion]

Does it? Intelligence agencies were among the first informed. Those are the bad guys.

I know "bad guys" is a harsh phrasing, but when it comes to encrypted communication, they are literally the definition of the adversary. Anybody in intelligence that doesn't play for my team is a "bad guy". And since everybody belongs to multiple conflicting teams, even a person who plays on one of my teams is a "bad guy" from the perspective of my other teams.

If the first place you go with a disclosure is to the intelligence community, you are hurting users.