[tptacek]

Accidents and vulnerabilities are not directly comparable, so a position on vuln disclosure does not necessarily imply a particular position on accident assistance.

I would feel a moral obligation to help mitigate concrete physical harm to victims of an accident. I feel no such obligation to protect against hypothetical threats to computer systems.

Chances are, you recognize similar distinctions; for instance, I doubt you feel obligated to intervene in accidents that pose only minor personal property risks.

[danbruc]

That is also my point of view, severity and other factors matter. But that also seems to imply the same thing for vulnerabilities - discovering a remote code execution vulnerability in Windows might warrant a different action than a hidden master password in an obscure forum software no one really used in a decade. The danger is still more abstract but it can still cause real harm to real people.

[tptacek]

I would personally disclose RCE in Windows, not least because I think Microsoft does a better-than-average job in dealing with the research community.

But I need to be careful saying things like that, because it is very easy for me to say that, because I don't spend any time looking for those kinds of flaws. Security research is pretty specialized now, and I don't do spare-time Windows work. I might feel differently if I did.

I would not judge the (many) researchers who would not necessarily disclose that flaw immediately.

[ktRolster]

IF there is a vulnerability, it might already be in use by hackers. People need to know about it immediately, so they can defend themselves (by closing a port, or switching to a different server or something). Companies need to be encouraged to find and fix this kind of thing without waiting for a embarrass them by finding it.