[dcow]

100%

It’s unethical to users who are at risk to withhold critical information.

If McDonalds had an e-coli outbreak and a keen doctor picked up on it you wouldn't withhold that information from the public while McD developed a nice pr-strategy and quietly waited for the storm to pass, would you?

Why is security, which seriously is a public safety issue, any different?

[dinosaurdynasty]

It's different because bad actors can take advantage of the now-public information.

The point of a disclosure window is to allow a fix before _all_ bad actors get access to the vulnerability.

[dcow]

And some may already be taking advantage. This is a perfect example where users are empowered to self mitigate. You’re relatively okay on private networks but definitely not on public networks. If I know when the bad actors know then I can e.g. not run qbittorrent at a coffee shop until it’s patched.

[TeMPOraL]

What about a pre-digital bank? If you came across knowledge of a security issue potentially allowing anyone to steal stuff from their vault, would you release that information to the public? Would everyone knowing how to break in make everyone's valuables safer?

Medicine and biosafety are PvE. Cybersecurity is PvP.