Currently, it is a fixed date at 3 months later. I am wondering if it is possible for researchers to opt to extend the public disclosure date. This is to allow some leeway for companies that want to fix and is currently working on a fix to truly resolve the issue before the public disclosure date.
It is especially useful when you are already in touch with the company and know that they are doing their best to resolve the issue and also contacted you to help to accommodate on the disclosure date.
Our current options are:
(1) be bad and go ahead with the public disclosure even though they can't patch in time. Note that in this case, they have made an attempt to contact you and kept you updated on their plans in advance. They were also appreciative of your help and for reporting the bug, just that they can't fix in time, they just need a little bit of extension.
(2) be nice, be understanding, sometimes they just need a week or a month more to complete their internal process or complete the internal testing and get the deployment completed. It's not like they don't care. I rather they deploy a good fix than to deploy a temp fix that leads to more issues. We are here to help.
I will always choose option (2) when given a choice like this
Of course, the extension should be totally optional. So far I have a few company that had this situation, and in order to help, I can only deleted my report from Openbugbounty. So, just saying that if there is an optional extension option then it will be pretty useful at times like this.
