Responsible disclosure is built on an assumption that “doing the right thing” will be met with timely action, fair treatment, and professional respect, if not a bounty award. Increasingly, that assumption is failing. And when it does, organizations alienate researchers and create regulatory, legal, and reputational risk.
Over the past few years, security researchers have found themselves waiting months, sometimes more than a year, for companies to acknowledge responsibly disclosed vulnerabilities, even as the same flaws quietly put customers at risk. In several cases, frustration over silence, disputed severity assessments, or shifting scope boundaries pushed researchers toward public disclosure, legal escalation, or questionable behavior companies later characterized as extortion.
As vulnerability reporting becomes slower, more bureaucratic, and less rewarding, the line between cooperative research and adversarial pressure is blurring. For CISOs, this is no longer an ethics debate. It is a governance and risk-management problem.
