When responsible disclosure becomes unpaid labor: governance
🔒 Responsible disclosure expects timely, respectful responses, but many researchers now face months-long silence, disputed severity, or shifting scope that turn cooperative reports into unpaid, uncertain work. When maintainers lack resources or formal processes, reporters are pushed into a gray zone of public disclosure, legal escalation, or ethically ambiguous actions. CISOs should treat disclosure as an operational function: set SLAs, clarify triage criteria, offer non-cash recognition, and fund critical open-source dependencies to reduce adversarial outcomes. These steps help preserve trust, lower regulatory and reputational risk, and improve patching outcomes.
