> With the general upstream attitude and handling of security bugs, on
> principle I don't email vendor-sec or security@.
That's sad, as email@example.com is the only group that will guarantee
that we will look at the issue and work to resolve it in a quick manner.
> Is it only a problem when the shoe's on the other foot?
No, I was worried that something got reported to firstname.lastname@example.org
that we did not respond to in a timely manner.
If you notify random kernel developers, one of whom is not part of the
kernel security team, then we can't guarantee any type of response.
Which, sadly, seems to be the case here. Otherwise the problem would
have been resolved a long time ago.
In the future, it would be great if you could notify email@example.com
about these types of problems so that they can be handled properly.