What coordinated disclosure looks like from the vendor side, honestly
A product security lead walks us through ninety days of a real disclosure, with the parts vendors usually do not say out loud.
The researcher emails on a Tuesday. By Friday, four teams inside the vendor are arguing about severity. By the end of week two, somebody senior has asked whether the report can be quietly closed.
This is the part that is rarely written down. The disclosure timeline that vendors publish is the clean version. Here is the messier one, with consent.
