In my experience charging too little is one of the biggest mistake to do when starting.

About that "That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.", you mean that if you disclose selectively, then you become liable for damages? or was it a more direct conversation with legal/governmental agencies?

And for a bug like this, what is the policy with backporting patches to lts branches? Since it was corrected in mainline on april 1st but only backported after the public disclosure. Do you delay backporting to minimise any attention on the security issue?

I guess that having a patch for that land on all the LTS branch would signal to any would be attacker that it's a significant security issue...

Sorry for all the questions but I'm genuinely interested.

EDIT: Just read your blog post at http://www.kroah.com/log/blog/2026/01/02/linux-kernel-securi... which does answer a lot of my questions...

As soon as a patch is committed, the clock starts ticking, the exploit will be discovered by reverse engineering recent commits. The commit was made on April 1st, Xint disclosed it on the 29th. If the Kernel Security team had wanted to, they had 28 days to backport patches in the LTS branches...

So, I wouldn't put any blame on Xint there.

> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.

I'd be interested in knowing more about that policy... Seems that there should be exceptions for the major distros.

Of course, major distros who have contracts with SLA could also pay for someone to be on the kernel security team and get a heads up like that..

- They ditched their previous android app for a new one that doesn't get the grandfathered accessibility access so autofill is mostly useless...

- On mac, safari integration is consistently flaky. It regularly keeps getting blocked in a loop telling me to unlock 1password when 1password has already been unlocked.

- Passkeys are unreliable to the point of being unusable

- Autofill frequently doesn't work well where for some reason the site with the same url as saved in 1password is not offered during autofill. When 1password used to work, it helped catch phishing attempts because it wouldn't show autofill on pages that do not match. Nowadays because of the shitty autofill, people get trained to go to the app, copy the password and paste it in the website. This means that it will no longer protect from phishing attempts

- The previous behaviour of saving any newly generated password as a password object (not login) was much better. Now newly generated passwords are only available in the password history of the browser extension you specifically used.

- I can't tell 1password to ignore a specific website

At this point, the only reason I'm not using bitwarden is that search is very slow on it with 2k+ passwords.

Honestly, it's never seemed hard to me and I don't remember a time when I was not able to walk while reading without bumping into things. Even as a student when studying for exams, I'd walk around in circle in my room reading my textbooks, for some reason walking helped to better remember...

I'm addicted to reading, I take my kindle and phone everywhere, so will grab them when I'm walking, taking a shower, waiting in line, going to the restroom... Between my kindle and my phone, I read a lot more books than I ever did but I don't digest the information as much as I used to. I also don't make as much associations between what I read and things going on in my own life. So, in a way, despite reading a lot more, I don't think I benefit as much from it.

Now, I'm purposefully forcing myself not to reach to my kindle when taking a walk so that my mind can wander as much as I do.

I do have to say I was appalled by some of the tests I had as an exchange student in the US (will not name the Uni in question but ranked around 60 in us rank). I remember a computer graphics test where a lot of questions were of the type "Which companies created the consortium maintaining the opengl specification?"... it was fully possible to obtain a passing grade just by rote memorization of facts. So I have no trouble believing that in the US it's possible in some unis to get a software engineering degree without understanding or critical thining

The poster you replied to just wrote a comment on HN that is meant to be read by an audience, is clear, well written and well structured. Given that, why ever would you assume that the documentation that same poster produced would be too terse to serve the job?