[Retric]

Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.

[kevincox]

Yes, that is why responsible disclosure almost always comes with deadlines. You give the chance for the company to resolve the issue and mitigate user impact. But if they are taking so long that the user impact will be higher than you just disclose.

[akerl_]

What if your assessment is that the user impact is already high enough that the right time to disclose is immediately?

[kevincox]

If you assess that the best time to publicly disclose is immediately then disclose immediately.

But I find that this case is rare. Typically it would be something like many of the following being met:

- It is likely to be discovered by an attacker soon.

- History shows that the company is unlikely to fix it soon.

- Users have some way to protect themselves.

- Your disclosure is likely to reach a significant number of users.

[akerl_]

How do you know it hasn’t been discovered by another attacker already?

[ranger_danger]

You don't, but you make a judgement call based on different criteria, such as how difficult the issue was to find, maybe how popular/big the site is, etc., as to whether or not you think anyone else is likely to know about it already.