[cadamsdotcom]

Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.

The debate has long since been settled comprehensively in favor of openness.

[azinman2]

2025-01-30: Hirsch asked for an update as to whether clients running vulnerable systems have been alerted (no response as of publication)

2025-02-14: CVE-2025-26793 assigned

2025-02-15: publication

So two weeks after they don’t respond what they’re going to do with their clients this gets published? I’d hardly call that responsible.

[shawabawa3]

I don't know why you picked a random date 2 weeks before publication instead of the relevant one:

2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted

They were contacted 7 weeks before publication

and

2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients

They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it

[emmelaich]

https://nvd.nist.gov/vuln/detail/CVE-2025-26793

"Awaiting Analysis This vulnerability is currently awaiting analysis."