First of all thanks a lot for the extraordinary good handling of this vulnerability. All steps taken and all information provided I have seen so far seem exemplary!
Now I’m still wondering if there is a public demo exploit. From what I’ve read so far I assume there is none (and personally I’d feel better when that stays for a while like that ;-)). But do you plan to release one at some point and if so could you announce it then?
After looking at the git change set I figured that one would still need Kee/PassRPC specific knowledge, just like you wrote, of the auth process to wirte an exploit. And I didn’t dive into the code so far to do that. However if there is a public exploit or will be at some point I’d be interested in how fast and maybe unnoticed it would go on my specific systems (and if it is really near the minute mark or far off - which I would assume right now…). Therefore I kept the old plugin on all systems which were using it and would do a check once there is a demo. And if it really is a matter of seconds maybe re-evaluate the specific system risk.