By not contacting the developer first, you're acting in bad faith. This opens you up to all kinds of legal liabilities, not to mention the social exclusion that will occur.
Oh this trope again. I am no vendor and I fully support the idea that security researchers coordinate their publication activities with affected parties.
Great, me too. But I also fully support the idea that people should be allowed to do whatever the fuck they want with their work product. (within the limits of the law, of course)
Charity is nice, but I’m not going to insist that you donate your whole paycheck!
> I also fully support the idea that people should be allowed to do whatever the fuck they want with their work product. (within the limits of the law, of course)
Do you want ham-fisted regulations? Because that's how you get ham-fisted regulations.
Lawmakers analogize. All it takes is for some bright representative to think that "vulnerability disclosures" are more akin to "burglary tools" than to public service announcements to justify criminalizing third-party security research (or the resulting disclosures).
> All it takes is for some bright representative to think that "vulnerability disclosures" are more akin to "burglary tools" than to public service announcements
It doesn't even take that much - throwing around terms like "bad faith" and "legal liabilities" suffices to create a hostile legal regime through common law torts. I'm okay with socially condemning unilateral disclosure as a likely assholeish thing to do, as long as we acknowledge that being an asshole is perfectly legal.
I'm admittedly not up to speed on this particular soap opera, but it seems like the real blameful parties here are Gizmodo et al - scraping the bottom of the barrel for raw technical tidbits, and then escalating them into sensationalist "news" narrative rather than performing any sort of responsible interpretation.
There’s no implicit “bad faith” in full disclosure or even the sale of weaponized 0day exploits.