In that case: report the bug, keep your mouth shut until the bug is fixed, then talk about the bug once it is fixed or your responsible disclosure deadline has passed.
Turned out the bug was a 2.9 CVE nothingburger. It’s not like they found the FSB/Mossad/NSA had hooks in a remotely exploitable root level process.
Turned out the bug was a 2.9 CVE nothingburger. It’s not like they found the FSB/Mossad/NSA had hooks in a remotely exploitable root level process.