There has been something of a revolution in AI-based security research, and I've spent a lot of time over the last couple of months dealing with bug reports, weeding duplicates (so many duplicates!) and triaging bugs into those which need vendor pre-disclosure and those which it's better to make public and fix immediately. Those judgements have been necessarily subjective, but given the number of times "good guys" have found these bugs, there's no doubt that "bad guys" have been able to do the same, so long embargoes seem kind of pointless. There's also the problem that the amount of time and effort, for all actors, needed to co-ordinate an embargo and provide backports is huge. I think the priority for most bugs is to fix them going forward, and have new dnsmasq releases as bug-free as possible. To this end, you may have noticed that there have been a lot of security-fix commits to the git repo in the weeks prior to this announcement.
From the article: