4 week security patch embargoes with broad distribution are awful. The patches are developed and tested already. If companies can't handle it within 72 hours, it's their issue to resolve. Attackers don't even need an insider when it's leaked as marketing:
reddit.com/r/Android/comm
Conversation
Replying to
I also wonder why companies that are not even shipping full security patches every month are even receiving early access. As I said there, this is more about the appearance of security than security. Attackers get access to the patches 30 days before they get released to users.
1
4
Most of these companies (such as this one) do not ship the patches regularly, so why do they receive early access? They shouldn't even get 72 hour notice if they're not regularly shipping the patches. Keep in mind many of these are coordinated across multiple OSes... what a joke.
3