[dns_snek]

You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).

I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.

[bobmcnamara]

Agreed.

Cracked a thrift store IoT medical device. Contacted vendor. They sent me a one way NDA. Lol no.

[dns_snek]

I've been trapped in a quasi-NDA on bug bounty platforms too. The vendor just refused to make the report public long after the vulnerability had been fixed, likely to cover it up in case of any resulting damages claims (it was a financial platform and the bug affected withdrawals of customer funds).

The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.