NXP is committed to working with the reporter of the vulnerability to establish what can be a responsible disclosure by the reporter. The ability to upgrade/patch NXP’s products in the field is totally different than for e.g. PCs. NXP’s products are chips with embedded software, often deployed in systems without a possibility to easily - or at all - update those products, which are already deployed in the field.
Hence a responsible disclosure will often need a longer timeframe or a limitation in the information in the disclosure (e.g. anonymous disclosure: disclose technicalities of the attack without disclosing the affected products). This is in order to allow NXP’s customers to migrate and mitigate the vulnerability before damage can be done to such NXP’s customer’s systems by the disclosure of the reporter.