Asking for a release date is a perfectly reasonable request! My response was highly influenced by the context. I came back with "email me for a support contract" because 1) I previously stated in the thread that we will not ship a patch release for this[^1] and 2) the commenter emphasized the impact on their paying customers. So this was all I had to add there. I agree that I could have phrased this more nicely, but I personally don't feel my reply was totally over the top.[^1]: the CVE itself is bogus and we don't use that part of the dependency.
politelemon|2 years ago
A trend I'm noticing, compliance and infosec teams only caring about checklists and not able to understand nuances of CVEs. They only see the number. Thus the boneheaded pursuit and odd expectations spilling into the open source ecosystem.
woofcat|2 years ago
Anything regulated / FedRAMP etc has timelines for security issues and they simply don't care how you can explain it. It's just 'fix it'.
account42|2 years ago