[layer8]

> The way this should work is that the researcher discloses to the company, and the company reaches out to and informs their customers immediately. Then they fix it.

If that was common practice, bad actors would make sure to be a registered customer of all interesting targets, so that they get informed early about vulnerabilities before there is a fix. And it would create a black market for that information.

When someone gets the information “Asus BIOS has an RCE vulnerability related to driver installation”, they’ll be able to figure out the details quickly with high probability, like OP did.