What I don’t get is why was the author sitting on this since May when he presented the stuff at some con. Giving people some time to patch is ok, but 6months is a bit too much for this kind of info to be out in the wild.
They did not present it in May. They submitted their paper for peer reviews in May and was accepted and disclosed this month. The information was not out in the wild…In the meantime they informed the vendors about the issue. The paper is to be presented in November.
I don’t think academic papers, journals and conferences are the right medium for security issues.
Also worrying is the amount of practical end user applicable advice is also worrying, for example 802.1x.
Compare this paper/website to the publications around Infineon ROCA where they practically give out pen testing code. (Their code is slow and didn’t take into account GPUs or FPGAs in their research, but the published stuff is way more usable)
That were all security research is globally presented. Journal and conferences like defcon and black hat. I am not sure what you expected.
Way to long for what? They found the vulnerability, they realized that its extend is huge, they informed CERT (and similar organizations) and gave the vendors a few months to plan to patch it. That is typical responsible disclosure process. Thats not sitting on the information. That is how you are supposed to do it.