I understand what you're trying to say. You're saying that conceptually there is such a thing as being "responsible" or "irresponsible" about disclosure, and I think that's true!
The problem is that (charitably) the term of art (or uncharitably, brand) "responsible disclosure" is attached to some very specific norms, including "not releasing vulnerabilities without a patch" and "giving vendors a commercially reasonable amount of time to create a patch" and "working closely with vendors to coordinate that time window" and "redacting or carefully reducing POC code", which are not themselves universal or even generally "responsible".
They're commercially responsible, to be sure! But it should not be an obligation of unpaid third party researchers to expend any effort whatsoever to be responsive to a vendor's commercial concerns. It's a nice thing to do, and some people are just preternaturally nice to vendors, and that's usually fine, but there's nothing deontologically "responsible" about that.
> You're saying that conceptually there is such a thing as being "responsible" or "irresponsible" about disclosure, and I think that's true!
I'm saying more than that.
We both seem to agree that there is an ongoing war about disclosure; and that large vendors (through a mix of good, neutral, and bad intentions) are warring to make disclosure more convenient and less painful for themselves, to the detriment of their users (and ultimately themselves as well); and that the use of words is one arena in which that warfare exhibits itself.
But we've come to opposite conclusions about the best way to fight the war in this specific arena.
You've observed that companies are trying to define "responsible" to mean "commercially responsible". But rather than recognizing this attempt at redefinition as an attack, and insisting on using the word "responsible" to actually mean responsible towards users, you seem to think that the use of the word itself is an attack; and want to instead try to insist on using a different term, "coordinated disclosure".
I think that's a bad strategy. You're advocating that we surrender the word "responsible" entirely to large vendors. Large vendors are not going to stop using the word "responsible"; if right-minded security researchers simply abandon the word, then the broader public are going to be entirely at the mercy of vendors to decide what's "responsible". Furthermore, as I've argued, using "coordinated" shifts all focus to the vendor, removing any focus from the user at all.
In the war over disclosure, your strategy seems to me to hand a massive win to big vendors.
I think a much better strategy is to counter-attack. The word "responsible" is too valuable a term to just give up. We must continue to insist that "responsible" means "responsible to users"; and we must continue to insist that there are times when pressuring and even embarrassing large companies is the most responsible thing to do.
There's nothing I can say to this that I haven't already said. "responsible disclosure" is a term of art. It means something you don't mean. You can redefine it for yourself, but people reading you will take its actual meaning, not yours.
The problem is that (charitably) the term of art (or uncharitably, brand) "responsible disclosure" is attached to some very specific norms, including "not releasing vulnerabilities without a patch" and "giving vendors a commercially reasonable amount of time to create a patch" and "working closely with vendors to coordinate that time window" and "redacting or carefully reducing POC code", which are not themselves universal or even generally "responsible".
They're commercially responsible, to be sure! But it should not be an obligation of unpaid third party researchers to expend any effort whatsoever to be responsive to a vendor's commercial concerns. It's a nice thing to do, and some people are just preternaturally nice to vendors, and that's usually fine, but there's nothing deontologically "responsible" about that.