Re: LOOL @ Dunn
It highly depends which company you are reporting the vulnerability to... Im guessing John is not only talking about software vendors. Yes, software vendors have occasional security updates, but that does not mean it was found via responsible disclosure, and if it is, it does not say anything about how they handled the disclosure.
If all software vendors handle these disclosures correctly then we would see things like this:
https://www.zdnet.com/article/windows-zero-day-vulnerability-disclosed-through-twitter/
Furthermore, you mentioned yourself, "they are doing it as a marketing stunt" Thats the exact danger we are talking about (Blueprint Cyber Security).
We have much experience reporting issues to companies that have this policy and forgot about it. In the past it turned into legal action threats, despite us following their self published guidelines.
Furthermore, we stated that our company has not done proper research but its based on our experience when reporting these vulnerabilities.
Biting the hand that feeds IT
