alt Hacker News> and it seems that experimenting with odd vulnerability disclosure schemes is frowned upon.
Good grief, you weren't kidding.
No kidding, my guy. We've spent a few decades coming to a rough consensus on the right way to report findings. No one's likely to have patience for trying something totally different where they don't have standardized playbooks to follow.
Rough consensus on the right way to report isolated findings. Report one hole, and that hole will be fixed, but you don’t expect anything beyond that.
If you have systemic or architectural problems, that procedure doesn’t work. It will amount to putting one or two bandaids on an entire sieve.
If a building inspector finds a small number of fixable problems, they’ll give a report saying “fix this, this and this, then you’re okay”. If they find a large number of issues in the first stages of their inspection, they might stop the inspection and perhaps even decline to tell you what the problems are, because that would lead to patching those things, while the underlying posture remains unchanged. (And for some sorts of structural problems, they may just condemn it as unfixable.)
It’s clear that jvoisin considers the typical vulnerability disclosure procedure to be inapplicable and/or harmful in this sort of way. I can’t assess the case on its merits, but I do find it plausible.