[HDThoreaun]

Publishing the vulnerability is a demand to fix it. It threatens to cause harm to the reputation of the maintainer if left unfixed.

[ikiris]

No, publishing the vulnerability is the right thing to do for a secure world because anyone can find this stuff including nation states that weaponize it. This is a public service. Giving the dev a 90 day pre warn is a courtesy.

Expecting a reporter to fix your security vulnerabilities for you is entitlement.

If your reputation is harmed by your vulnerable software, then fix the bugs. They didn’t create the hazzard they discovered it. You created it, and acting like you’re entitled to the free labor of those that gave you the heads up is insane, and trying to extort them for their labor is even worse.

[HDThoreaun]

This is all true(maybe not the extortion being worse hard to say), but it doesnt change the fact that publishing the CVE is a demand to fix it.

[ikiris]

No, it is a notice to others that your software as-is is insecure in some way. The pre notice is again a courtesy if you want to fix it.

What you do with the notice as a dev is up to you, but responsible ones would fix it without throwing a tantrum.

Devs need to stop thinking of themselves as the main character and things get a lot more reasonable.

[saagarjha]

No, it is a request to fix it. How the maintainer feels about it is up to them.

[HDThoreaun]

A request to fix it would be privately telling the maintainers about the issue. Publicly releasing it is a demand.

[saagarjha]

This is not how filing issues against open source software works.

[HDThoreaun]

You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that

[walletdrainer]

CVE!=vulnerability

These two terms are not interchangeable.

Most vulnerabilities never have CVEs issued.