[fweimer]

If you just want to get a bug fixed that annoys you, it's of course out of scope.

If researchers want to showcase their ability (either individually or as an organization) to identify and address security vulnerabilities in complex multi-stakeholder environments, I very much expect them to figure this out. After all, it doesn't make much sense if a company, after commissioning a security review, needs to hire a different firm to handle the vendor interactions, so that identified issues are resolved with minimal impact to the business.

[tptacek]

I think they want to showcase their ability to unearth zero-day vulnerabilities. The multi-stakeholder stuff not so much.

[dwattttt]

> a company, after commissioning a security review, needs to hire a different firm to handle the vendor interactions

These vendor interactions you're referring to are the company's customers, correct? Are you proposing the company hire another company to manage getting updates to their customers?