David Wells writes:
Signal Private Messenger’s ease of use, multiplatform support, and end-to-end encryption for both text and calls have attracted millions of users per day. Even Edward Snowden, the well known American Whistleblower, claims “I use Signal every day.”
So this month, when I disclosed a way to leak a user’s DNS server simply by ringing their Signal number (CVE-2020–5753), I was happy to see how fast they patched it. Revealing a Signal user’s DNS server can potentially reveal coarse location, but as we will later see, in instances such as Google Public DNS (188.8.131.52/184.108.40.206) and others, this attack can narrow the location down to the Signal user’s city due to usage of EDNS Client Subnet.
Unfortunately, at the time of this writing, the patch is not yet available on the Google Playstore or Apple AppStore, and due to our disclosure policy, we disclose issues once any patch or information pertaining a vulnerability goes public, such as this case.
Read more on Medium.
The disclosure policy is their policy, not law, and if they think it may put more people at risk to disclose this before the patch is available on Playstore or Appstore, then why the heck did they disclose it now?