[sz4kerto]

Depends on the industry. E.g. if you're working in defense or healthcare, then just the possibility of a data leak might be something you're obligated to report on. And a Google- or Facebook-size company might easily fall into the category where even "near miss" events should be disclosed.

Basically you have to conduct an internal risk evaluation and depending on the overall risk assessment, you need or don't need to publicly report on it. Of course the bar is much lower than 'certain data leak'.

[tptacek]

I won't do work for the Federal government, but I've worked with companies of all sizes in healthcare, manufacturing, finance, and utilities, and at none of them was it a norm that internal vulnerabilities be disclosed publicly.

People keep saying that there are certain kinds of companies where you have to disclose, and I have come to the conclusion that they are simply making that up because it sounds good to them.

[cirenehc]

I have worked in healthcare related systems before that needs to be HIPAA compliant, even for those systems public disclosure of a vulnerability is not a requirement. No software is bug free, and many seemingly benign bugs are security vulnerabilities.

Try and name one company that reports all their bugs (security/non security) discovered internally.

[wglb]

With respect to just the possibility of a data leak might be something you're obligated to report on, I haven't heard of this being a real requirement. I would be curious to see links or evidence to the contrary.