No evidence, but the fact that the "IngressNightmare" PR piece was announced before there were even PRs created to fix this smells like the team at Wiz leaked this before it was really ready.
Whether the scores are legit or not, the fact that this was such a botched disclosure process is not a good look for the Kubernetes project, of which this is a part.
Edit: According to [1], the team at Wiz show a responsible disclosure timeline. Seems like the Kubernetes project's process didn't work so well. If Wiz is accurately reporting what happened in their blog, these fixes (or the plan for them) was available a month ago, despite seemingly not having working PRs until today, after the security announcement?
Again, I really appreciate the work of the team to ship this, but this isn't a good look for the Kubernetes project itself.
Whether the scores are legit or not, the fact that this was such a botched disclosure process is not a good look for the Kubernetes project, of which this is a part.
Edit: According to [1], the team at Wiz show a responsible disclosure timeline. Seems like the Kubernetes project's process didn't work so well. If Wiz is accurately reporting what happened in their blog, these fixes (or the plan for them) was available a month ago, despite seemingly not having working PRs until today, after the security announcement?
Again, I really appreciate the work of the team to ship this, but this isn't a good look for the Kubernetes project itself.
[1] https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabili...