The disclosure timeline for @quarkslab's PixieFail is hilarious and mirrors my experience of trying to manage disclosure of firmware vulnerabilities with IBV/ODM/OEMs. https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
@quarkslab (but I was never asked if I would fix the problem for them... and even now I'm not sure exactly how Intel worked around the Bootguard fuse misconfiguration, so the mitigation section of my writeup is speculative)
@th @quarkslab
😬
“Strongly disagreed with the opinion expressed by a vendor that "any public announcement before middle of 2024 would cause significant negative impact" and argued that what had significant negative impact was the risk those vulnerabilities were posing to the uninformed users and organizations that run EDK2-derived firmware implementations with the vulnerable NetworkPkg component…”
@quarkslab for instance Sleep Attack (CVE-2020-8705) initially had a 90 day disclosure timeline, but in the end took almost a year to coordinate with between Intel, the BIOS vendors and the OEMs since it required new Management Engine firmware to be deployed. https://trmm.net/Sleep_attack/