> You're saying that conceptually there is such a thing as being "responsible" or "irresponsible" about disclosure, and I think that's true!
I'm saying more than that.
We both seem to agree that there is an ongoing war about disclosure; and that large vendors (through a mix of good, neutral, and bad intentions) are warring to make disclosure more convenient and less painful for themselves, to the detriment of their users (and ultimately themselves as well); and that the use of words is one arena in which that warfare exhibits itself.
But we've come to opposite conclusions about the best way to fight the war in this specific arena.
You've observed that companies are trying to define "responsible" to mean "commercially responsible". But rather than recognizing this attempt at redefinition as an attack, and insisting on using the word "responsible" to actually mean responsible towards users, you seem to think that the use of the word itself is an attack; and want to instead try to insist on using a different term, "coordinated disclosure".
I think that's a bad strategy. You're advocating that we surrender the word "responsible" entirely to large vendors. Large vendors are not going to stop using the word "responsible"; if right-minded security researchers simply abandon the word, then the broader public are going to be entirely at the mercy of vendors to decide what's "responsible". Furthermore, as I've argued, using "coordinated" shifts all focus to the vendor, removing any focus from the user at all.
In the war over disclosure, your strategy seems to me to hand a massive win to big vendors.
I think a much better strategy is to counter-attack. The word "responsible" is too valuable a term to just give up. We must continue to insist that "responsible" means "responsible to users"; and we must continue to insist that there are times when pressuring and even embarrassing large companies is the most responsible thing to do.
There's nothing I can say to this that I haven't already said. "responsible disclosure" is a term of art. It means something you don't mean. You can redefine it for yourself, but people reading you will take its actual meaning, not yours.
I'm saying more than that.
We both seem to agree that there is an ongoing war about disclosure; and that large vendors (through a mix of good, neutral, and bad intentions) are warring to make disclosure more convenient and less painful for themselves, to the detriment of their users (and ultimately themselves as well); and that the use of words is one arena in which that warfare exhibits itself.
But we've come to opposite conclusions about the best way to fight the war in this specific arena.
You've observed that companies are trying to define "responsible" to mean "commercially responsible". But rather than recognizing this attempt at redefinition as an attack, and insisting on using the word "responsible" to actually mean responsible towards users, you seem to think that the use of the word itself is an attack; and want to instead try to insist on using a different term, "coordinated disclosure".
I think that's a bad strategy. You're advocating that we surrender the word "responsible" entirely to large vendors. Large vendors are not going to stop using the word "responsible"; if right-minded security researchers simply abandon the word, then the broader public are going to be entirely at the mercy of vendors to decide what's "responsible". Furthermore, as I've argued, using "coordinated" shifts all focus to the vendor, removing any focus from the user at all.
In the war over disclosure, your strategy seems to me to hand a massive win to big vendors.
I think a much better strategy is to counter-attack. The word "responsible" is too valuable a term to just give up. We must continue to insist that "responsible" means "responsible to users"; and we must continue to insist that there are times when pressuring and even embarrassing large companies is the most responsible thing to do.