Yup… That Topic has become derailed somewhat; lots of dog memes!
There doesn’t seem to be a single industry standard for vulnerability discovery disclosure, though there are some common themes.
The condition that the “discoverer” should have the right of first-publication seems to be in a grey area, ethically speaking as far as I am concerned. While researchers and media “earn” some benefits to using a cooperative disclosure arrangement, I think vendors/companies also deserve the right to inform customers (and platform/community developers) prior to possibly confusing media frenzy.
This isn’t the place to discuss disclosure policies in detail, but I found a random (and dated 2005) student paper that compares various options, which folks who are interested might glance at, and we should spinoff a Topic for discussion?
Page 18:
