The disclosure timeline for @quarkslab's PixieFail is hilarious and mirrors my experience of trying to manage disclosure of firmware vulnerabilities with IBV/ODM/OEMs. https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
Follow
@quarkslab for instance Sleep Attack (CVE-2020-8705) initially had a 90 day disclosure timeline, but in the end took almost a year to coordinate with between Intel, the BIOS vendors and the OEMs since it required new Management Engine firmware to be deployed. https://trmm.net/Sleep_attack/
@quarkslab (but I was never asked if I would fix the problem for them... and even now I'm not sure exactly how Intel worked around the Bootguard fuse misconfiguration, so the mitigation section of my writeup is speculative)