> Publishing an extension to the Chrome Web Store that lets anyone exploit the bug is NOT the responsible way for anyone to "highlight" a security issue unless normal channels have repeatedly failed
I think that's the core behind responsible disclosure. If I was management at facebook - I would be perfectly fine if he published a paper about it after we patched the bug (in fact I would encourage him to do it) - but not create an exploit allowing N number of people to use it then tell me about it.
Edit: changing point of view
If someone told me about an exploit in one of my sites - I might even pay him a small reward.
There is of course those who are completely out of touch with reality and completely ignore legit issues. Never forget the Super Meat Boy incident of 2010 [1]. That has actually made me stop playing their games - because it makes me uneasy to think they were sitting in the kitchen table or office and thinking "it would be a great idea if we connected directly a MySQL server to query custom level data!" - and not at least find someone to bounce that off of to wonder why other people aren't doing that.
I think that's the core behind responsible disclosure. If I was management at facebook - I would be perfectly fine if he published a paper about it after we patched the bug (in fact I would encourage him to do it) - but not create an exploit allowing N number of people to use it then tell me about it.
Edit: changing point of view
If someone told me about an exploit in one of my sites - I might even pay him a small reward.
There is of course those who are completely out of touch with reality and completely ignore legit issues. Never forget the Super Meat Boy incident of 2010 [1]. That has actually made me stop playing their games - because it makes me uneasy to think they were sitting in the kitchen table or office and thinking "it would be a great idea if we connected directly a MySQL server to query custom level data!" - and not at least find someone to bounce that off of to wonder why other people aren't doing that.
[1] http://forums.somethingawful.com/showthread.php?noseen=0&thr...