[russdill]

The "security authorities"? Who exactly is that? And what action are the expected to take?

Responsible disclosure is not gratuitous, it's not blackmail. It is a standard industry practice. And the entity you notify is the vendor.

[phoronixrly]

See EU CSIRT network, CISA for US unless it got deleted by the current management.

[russdill]

CISA advocates for responsible disclosure an links directly to documents telling you how to do so such as https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_in_...

That of you locate a vulnerability, you should contact the vendor and that "In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability"

I get the weird feeling like you have a dog in this fight

[phoronixrly]

No skin in the game apart from personally making the same naive mistake