Comment 168 for bug 2059809

Based on feedback so far due to the additional exploit paths and subsequent patch revisions/amendments which have arisen since the downstream stakeholder advance notification I sent on Thursday, are there any objections to delaying our disclosure by 5 days to 15:00 UTC Tuesday 2024-07-02 in order to give stakeholders more time to integrate updated patches?

We can't delay by more than a week because we've notified the linux-distros mailing list, and they impose a two-week limit for publication. We should also avoid issuing an advisory on July 4 (or the day prior), since it's a major holiday for many of the developers participating in this bug who we'll need available to push and approve the patches in code review at that time.

Note that delaying disclosure is not without some added risk, since there's a chance that not all downstream stakeholders who were previously notified also see the revised disclosure date before they publish something following the original timeline. Further, it puts us 4 days past our self-imposed 90 day maximum embargo time on reports of suspected vulnerabilities, which we try very hard to avoid exceeding.

If there are no strong objections posted in the next 4 hours (before 20:00 UTC today), I'll send a reschedule notification to all downstream stakeholders along with a promise to follow up no later than Thursday with finalized patches.