I submitted a vulnerability to the kubernetes hacker one program In August, it was triaged by hacker one staff and the last update was its being discussed internally with the kubernetes team, that was 4 months ago. I chased it a month ago but got no response.
It's not a critical issue, but it think this timescale is a bit too long.
As a maintainer: some issues take longer to triage than others. Especially if they are not CRITICAL, and there's a huge holiday season in the midst of it. :)<p>I know I have been involved in a couple which took time to agree on a "best" solution and to find people to tackle them.