How long do you wait between reporting vulnerabilities and publishing the query that found them?

[p-]

As the title says, my question is: How long do you wait between reporting vulnerabilities and publishing the query that found them?
In my eyes this mostly depends on the severities of the vulnerabilities found. So I would publish a query that finds low to medium vulnerabilities faster, than one that finds RCEs. So I think it would be nice if authors of queries that find critical vulnerabilities would wait a reasonable time, letting the maintainers of affected software react.

Due to its nature the GitHub Security Lab bounty program encourages participants to publish queries as soon as they are written, potentially enabling others to find and exploit critical vulnerabilities before a fixed version of an affected piece of software is released. However, this is probably not a big problem most of the time.

What do you think?

[nicowaisman]

Hey @p-,
This are all great question that have no easy or correct answer.
Queries are a fantastic way to find vulnerabilities but requires someone to look at them. That process, triaging, requires someone time to do it. Sometimes is the developer and sometime is a security researcher. Right now we are trying to find creative ways to encourage the community and developers to help us triage some of those bugs (Which is the reason why we built the Bug Slayer bug bounty program. Use the query you write to report vulnerabilities to vendors).
We do believe that a query is knowledge that we want everyone to share them with the community to get better. The way our code-scanning workflow works for OSS project right now , is that security alerts will only be visible to the maintainers. Everyone should be able to see alerts as they are introduced on Pull Request, this will help a little bit in protecting the projects before anyone else looks the alert.
However, again a query is (actionable) knowledge. So as people will be publishing queries, they could also be writing tools or blog post. This we believe is beneficial for everyone in the community, to learn and avoid making mistakes.
Specifically to our team, the GitHub Security Lab, we wait until all the project that we were able to triage have fix the vulnerability before we made it public, but we can afford helping developers do some of that triaging.