since he was being responsive, chose to share some additional vulnerabilities with him.Mmm, this sounds like you sit on vulnerabilities, choosing to notify people who can fix it upstream if and only if they're "being responsive". Is this accurate? Are you sitting on any now?
With the general upstream attitude and handling of security bugs, on principle I don't email vendor-sec or security@.What principle is this that you're acting on?
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds