Responsible disclosure is dead. And companies killed it.
For decades, responsible disclosure has been the ethical hacker's way of giving companies a chance to fix security issues before they become a problem. It’s a noble concept, report a vulnerability, give the organisation time to patch it, and prevent potential harm. But in reality, it rarely works as intended.
After years of reporting security flaws to companies, my experience has been nothing short of frustrating. The response rate? Below 1%. The time it takes to disclose even a single CVE? Over six months. And that’s if you’re lucky enough to even get a reply. Most of the time, companies ignore security researchers, leaving critical vulnerabilities unpatched until a breach forces their hand.
Four months ago, I found a serious security flaw, something that could have had severe consequences. I followed the responsible disclosure route, reached out to the company, and waited. And waited. And waited. Silence. No acknowledgement, no follow-up, nothing. After that, I decided I was done helping companies for free. If they don’t care about their own security, why should I?
At this point, I only report to law enforcement if something poses a major risk. But I no longer go out of my way to help companies that won’t even acknowledge the effort. The industry has made it clear: they do not value ethical hackers unless there’s a PR disaster on their hands.
Companies have a responsibility to build security into their policies, and that includes having proper vulnerability disclosure programs. They should encourage researchers to disclose issues, not push them away with silence or legal threats. The fact that so many businesses still lack even a basic disclosure process is a failure of security governance.
Responsible disclosure didn’t die because of researchers, it died because companies refused to engage. Until that changes, don’t expect ethical hackers to keep fighting a battle that no one wants them to win.