> 2020-12-03 Microsoft advises that due to issues identified in testing, the fix will now slip to January 2021.
> 2020-12-08 Meeting between MSRC and Project Zero leadership to determine details and discuss next steps. The 14-day grace period is unavailable as Microsoft do not plan to patch this issue before Jan 6 (next patch Tuesday is Jan 12).
> 2020-12-23 90 day deadline exceeded - derestricting issue.
Ouch. With xmas in the middle the grace period, I could see how this can be considered too strict on P0's part. Then, again, the initial bad fix surely harmed whatever trust there was between the parties.
> The only difference between CVE-2020-0986 is that for CVE-2020-0986 the attacker sent a pointer and now the attacker sends an offset.
CVE-2020-0986 had been discovered in the wild in May. Microsoft claimed to have fixed it, so this was logged as a separate CVE, even though it's essentially the same bug (the fix can be trivially circumvented) and P0 has given it a new 90 day period, which has now ran out.
I wouldn't call it too strict, they had much more than 90 days to fix it properly.
> 2020-12-08 Meeting between MSRC and Project Zero leadership to determine details and discuss next steps. The 14-day grace period is unavailable as Microsoft do not plan to patch this issue before Jan 6 (next patch Tuesday is Jan 12).
> 2020-12-23 90 day deadline exceeded - derestricting issue.
Ouch. With xmas in the middle the grace period, I could see how this can be considered too strict on P0's part. Then, again, the initial bad fix surely harmed whatever trust there was between the parties.