[phkn1]

Here we see the other side of the "responsible disclosure" coin -- if the ethical white-hat security researcher is required to withhold publication of a critical vulnerability for a set amount of time, is there a corresponding deadline for timely publication as well? And if that deadline is not met by meaningful attempts at remediation or disclosure, is the researcher not compelled to publish the findings independently?

Obviously these companies failed miserably to meet any reasonable person's timeline of disclosure. One question is whether the extra time researching this malware reasonably would have produced additional worthwhile intelligence about its function and targets. If so, then the delay was "worthwhile". Another question is whether it's not better to simply release an incomplete picture to the security community (perhaps selectively) and let the larger hive mind go to work on finding and corroborating additional clues.

It seems like the firms chose the former; many HN readers would advocate the latter. So finally, the question remains whether such a forced disclosure would be perceived as an irresponsible "leak" based only upon the disagreement in methodology and interpretation of "responsible"? Would its withholding be considered likewise irresponsible? Can a single firm, a collection of firms, or the security research community at large meaningfully stay ahead of a dedicated state-funded attacker? (Probably, Probably, Probably not).

If a nation-state is producing malware, it logically will also be monitoring the channels of disclosure for evidence of its release and detection in the wild. But that's no reason to limit the resources being dedicated to protecting the public; it's egotism at best and collusion at worst.