Brother, it is a simple email to a mailing list.

They are professional security researchers, they must know this is the way it is done in the ecosystem.

Kicking the can around leads nowhere.

Agree, but then where does the accountability lie? Presumably with the kernel maintainers themselves, correct? SOMEONE dropped the ball here. If we can't point the finger correctly, that seems like a problem in of itself.

That is just being pedantic. Why did they absolutely need to release this into the wild now? Why couldn’t they have waited?

“30 days should be enough time” why? Why is 30 days a magic number? Especially in open source.

Yeah it isn’t the researchers problem to tell every distributor of the kernel about the fix or verify that everyone has the fix, but fuck maybe wait until at least someone has the fix and maybe don’t drop it on a Friday. That is just malicious

If you just want to get a bug fixed that annoys you, it's of course out of scope.

If researchers want to showcase their ability (either individually or as an organization) to identify and address security vulnerabilities in complex multi-stakeholder environments, I very much expect them to figure this out. After all, it doesn't make much sense if a company, after commissioning a security review, needs to hire a different firm to handle the vendor interactions, so that identified issues are resolved with minimal impact to the business.

If they get enough time to build a website with a fancy logo instead, one might however question where their priorities are.