The super irresponsible actions of r and Pete are not in line with what we agreed to in terms of a timeline with disclosure of information. We agreed to not disclose information until 48 hours after the post, and they both have disrespected that. They did not reach out to me before revealing that information. Pete getting knowledge of the issue ahead of the disclosure timeline was also done without communication after I explicitly set the initial timeline to have him involved after. I attempted to ask r to delete their reply, but they refused and downplayed what they said.

They are risking users and making an issue not only for themselves but for 8bloat which is a hard independent fork. I take security issues like these seriously and they're being incredibly disrespectful and selfish instead of waiting less than two days to talk about it. Now I have to clean up the mess on my end and explain what happened to my users and leave them on constant edge during this period. This all stems from me doing a security audit on 8bloat and giving them the courtesy of working with me to make sure nobody was affected by the issue in upstream. Basic respect was not given throughout the entire process.

I'm currently monitoring for evidence of the issue being discovered. If you find evidence of an attacker finding out what it is, or if someone reveals more information that would enable an attacker to exploit the issue, please let me know so I can publish the patch early.

The issue is being downplayed now to a misleading/factually incorrect degree. DO NOT USE THE CLIENT.

I'm sorry to 8bloat users. I wish I could've seen this shit coming. I'm going to be more careful about who I disclose these kinds of issues to in the future and take a downstream-first approach.