It is not so hypothetical question as ROCA attack gave as a taste of that in Autumn 2017. A lot of stuff was happening behind the scenes and I believe there are many enterprises yet to realise some important vulnerabilities (e.g., encrypted documents without proper protection).
What happened then was that affected parties were notified some 9 months before the attack publication. Interestingly, the publication date was fixed mainly because it was to be presented at a conference so companies like HP, Microsoft, Google couldn’t make authors push the date of the publication. Although they did it successfully for pre-release notification, which made life harder for companies “further down the food chain”.
Anything on that scale, assuming it was discovered by law-abiding persons/companies, the “management” of the knowledge would likely be taken over by security agencies or a wide consortium of enterprises or both.
Now, let’s assume the inventors are not happy with keeping it secret and simply publish it - everything is a pure speculation :)
- day 1 - authors will try to find publishing outlets and start getting visibility
- day 2 - first injunctions and gagging orders are issued, news spreads via social networks
- day 7–14 - it will be taken seriously enough for people start verifying the discovery
- day 14 - security patches for web browsers and applications that will extend RSA signatures with timestamps, peer-to-peer verifications, etc
- day 21 - corporations start realising that that the biggest problem are document stores (not transactions)
- day 30 - there are tools out there - closed and open-source
- day 90 - many applications replace RSA with peer-to-peer symmetric encryption
- 1–2 years on - RSA replaced with a new algorithm