2018/5/24 - 10 days after the public disclosure of EFAIL, Bruce Schneir commented the disclsosure process. This is a long, in-depth and worthwhile article about the general process of vulnerability disclosure and email security in general. Link to the full version.
Expect more of these kinds of problems in the future. The internet is shifting from a set of systems we deliberately use—our phones and computers—to a fully immersive internet-of-things world that we live in 24/7. And like this email vulnerability, vulnerabilities will emerge through the interactions of different systems. Sometimes it will be obvious who should fix the problem. Sometimes it won't be. Sometimes it'll be two secure systems that, when they interact in a particular way, cause an insecurity.