“Responsible disclosure” is a concept mostly proposed by companies looking to accommodate their own willful irresponsibility. This is even more true in the case of intentional privacy violations by software vendors. The responsible thing is to immediately put these companies on blast the moment this kind of spying is uncovered.
I do see your point, but I still think a standardised way to at least make sure the vendor is aware of the issue would be needed if we're talking about a formal program. Not necessarily holding off publishing to do so though.
But I don't mean to back the side of vendors unduly here...
> Software vendors do this on purpose; they don't need notification.
I must admit I didn't put much thought into my comment on ethics but I guess what I had in mind is perhaps a scenario where the behaviour is not actually intentional, and the vendor should at least be properly informed that there may be leakage (to them) of private data as opposed to just jumping straight to blogging about it.
So rather than "responsible disclosure" perhaps just a code of conduct to ensure that such a program doesn't just attract people looking for glory and blog posts, but actually has a standardised way to report these issues to the vendor and give them an opportunity to fix and/or respond.
I don't mean to dilute the core of the idea though, it's a good one, and it definitely needs to be geared towards being in favour of the consumer rather than letting the vendor off the hook.
The only value in responsible disclosure is protection of users. If you figure out there's a way to harm a boatload of people, it's nice to do what you can to ensure it can't happen before telling everybody how. It makes sense. But there's a very good reason it comes with a not-too-distant deadline before you give up on it.
But this? We're talking about finding ways that people are being actively harmed. How does "responsible disclosure" come into play here?
The only thing it would seem to do is to protect companies and their bad decisions. That's not the point. At best they've screwed up, and at worst they're actively malicious. How do users not deserve to know that they are being harmed as soon as possible? How do potential users not deserve to know that they will be harmed by using the product, and that the company is either doing a poor job of protecting them or actively trying to exploit them?
There's no reason to try to attach any ideas of "responsible disclosure" here unless you're explicitly trying to protect the vendor.
I’m not suggesting a delay. Responsible disclosure was the wrong term to use.
The distinction I was trying to draw is rather than just blogging about it or unleashing a Twitter storm and jumping straight to an adversarial public crucifixion of the vendor (and by all means do that as well), there should be a standardised process of also contacting that vendor directly and engaging with them to give them an opportunity to fully understand what is being reported, reproduce the issue (in the case of it being unexpected) and fixing the problem. Some vendors won’t engage or will stick their head in the sand, but others may actually choose to address the problem. This is also in the users’ best interests.
Some issues will hit Hacker News or gain visibility in other ways, but other issues that are published may not naturally reach the eyes of someone at a vendor unless the person publishing actually takes steps to contact them. That’s the point I was trying to get across.
Not suggesting any of that is a prerequisite to publishing anything publicly in parallel.
Interesting idea! If it was ethical (ie still properly followed responsible disclosure processes etc) I’d donate to something like this.
EDIT: Also if supported by someone like the EFF maybe there could be a degree of legal cover for any potential issues.