> After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do."
Exim is an old codebase, but I've interacted with the devs often, this doesn't jive with my experience.
Even filing a bug report or help request, they request the standard stuff to reproduce, config examples of the help request to give context, in a polite and professional manner. It's a lovely project, a flexible MTA and good stewards of open source.
I don't suspect the communications will be released, but I have a bias to favor the Exim developers on this than a corporate entity offering bug bounties and clout.
A bit further upthread an Exim dev has a different account:
"The ZDI contacted us in June 2022. We asked about details but didn't get
answers we were able to work with. [..] Next contact with ZDI was in May 2023. [..] The remaining issues are debatable or miss information we need to fix them."
I have no experience with anyone involved and don't really know anything more than this; just pointing out there are differing accounts here.
https://seclists.org/oss-sec/2023/q3/259
> After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do."