[riknos314]

I believe this premise that the cost of identification of vulnerabilities via diffs is going down over time begs the question "what do our processes need to look like if simply making the patch public is the disclosure?"

Current coordinated disclosure practices have a dependency on patching and disclosure being separate, but the gap between them seems to be asymptomatically approaching zero.

[tptacek]

Right, all I'm saying is that we were asymptotically close many years ago; all that's changed is that nobody can kid themselves about it anymore.

The actual policy responses to it, I couldn't say! I've always believed, even when there was a meaningful gap between patching and disclosing, that coordinated disclosure norms were a bad default.

[riknos314]

What process or mechanism would you prefer to use instead of coordinated disclosure?

[DoctorOetker]

I guess people could download (but not install) encrypted patches with an announced key release date+time, so that by the moment it is disclosed essentially everyone is applying the patch.

[riknos314]

That's still coordinated, but by the publicizing of the key

[akerl_]

The most common alternative is full disclosure.