The fact is that the devs certainly do know about it by now, yet users do not have a fix yet. Users do, however, have a workaround, and knowledge that the security flaw exists in the first place.
Waiting for a fix before disclosing a security flaw is security by obscurity, even if it is to be replaced soon.
It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update.
> "The fact is that the devs certainly do know about it by now, yet users do not have a fix yet."
Citation needed.
> "It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update."
Stepping outside the 'tech' social bubble, most general users likely won't create a root account and password from something they see on TV or their local news site or at least not before a patch would have been released.
Has there been an update released yet? I wouldn't know, I don't use OS X.
Is this the best way to report a security flaw? Of course not! Is it a bad way? No! The only bad way to report a security flaw is to not report it at all.
> Has there been an update released yet? I wouldn't know, I don't use OS X.
I think you might have misunderstood what I meant when when asking for citation, it's based on the statement you made in relation to citing sources for what something that could be opinion stated as fact.
