Credit: Seagate
OJ Reeves found a multi-stage RCE vulnerability in Seagate NAS devices. That was the fun part, next came the actual work: notifying and managing disclosure with the vendor. Not surprisingly, it took real work. After the initial 100 days was close to running out, complaining on Twitter actually got someone to put him in contact with someone at Seagate who was interested in helping. OJ gave them another 30 days before publishing his advisory.
Seagate’s response was to immediately downplay the issue to journalists and make sure that no messy “facts” got in the way of their reporting of the vulnerability and demonstrate just how proactive they are about security.