[LadyCailin]

I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.

So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.

[bobmcnamara]

This seems to presume the company is ready and willing to take feedback.

Maybe things are better now.

Years ago the only contact for many companies was through customer service. "What do you mean you're in our computer? You're obviously on the phone!"

[immibis]

Also "Oh, you hacked us? We'll call the police right away. You're going to jail." - followed by you actually going to jail for many years. Sometimes, anonymous, public, uncoordinated disclosure actually leads to the best security outcome in the long run, since security researchers in jail isn't that.

[bobmcnamara]

Yes. I live in a state where a journalist reported a Department of Education system leaking teacher SSNs and the governor sent state troopers after him.

Doing the right thing can be awfully unpleasant.

[bigiain]

> This seems to presume the company is ready and willing to take feedback.

Near the bottom of the blog post it says:

> When | What Happened

> Day 1, same day | RBI fixes everything faster than you can say "code red"

> Credit where it's due – RBI's response time was impressive.

[bobmcnamara]

Oops. I mean that generally my experiences have been less good

[dns_snek]

You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).

I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.

[bobmcnamara]

Agreed.

Cracked a thrift store IoT medical device. Contacted vendor. They sent me a one way NDA. Lol no.

[dns_snek]

I've been trapped in a quasi-NDA on bug bounty platforms too. The vendor just refused to make the report public long after the vulnerability had been fixed, likely to cover it up in case of any resulting damages claims (it was a financial platform and the bug affected withdrawals of customer funds).

The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.

[akerl_]

What about users who are affected by the vulnerability in the time it takes between reporting to the vendor and remediation?

[llbbdd]

That's the tradeoff. If you disclose it broadly without a grace period, someone who didn't even know about the vulnerability before will exploit it faster than even the best postured companies can fix it.

[akerl_]

That seems to depend a lot on the vulnerability, and the company, and the users.

I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".