alt Hacker News> Expecting people to hold off on disclosure of something harmful
That's not what they said though. They said "please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away" (emphasis mine)
> Expecting people to hold off on disclosure of something harmful
That's not what they said though. They said "please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away" (emphasis mine)
I do think hitting "send" on the email to the responsible party immediately before publishing (or at least notifying them as quickly as you can afterwards) is a smart thing to do. I mean, why wouldn't you? My concern was more about the "Not having a bug bounty or dedicated email address does not make it OK to go public immediately" comment. It can sometimes be difficult to track down the right person to notify and so when the risks to people are high enough whichever one you can accomplish the soonest is probably where I'd start.