> until everything is a bit more secure because companies take it more seriously
That logic works for full vs. limited (or no) disclosure, but not for immediate vs. 90-day disclosure. In general, the incentive for a vendor with a reasonable embargo period is the same as without, because the effect on their reputation is the same. The only people differently affected are users, who are left more vulnerable for longer than they would have been. Even if one could argue that vendors deserve shaming for what might have been a simple mistake, users surely deserve better.
It's very easy for those who do not suffer the damage from their actions to rationalize their impulsive (or in this case venal) behavior, but that's just another kind of agency problem that people who fling economic jargon around should consider.
> The only people differently affected are users, who are left more vulnerable for longer than they would have been.
The assumption being that nobody else knows about the flaws? We can argue about how likely it is some other people knew about the flaw on a case by case basis, but a blanket statement that assumes that there was no risk while it was unreported is not accurately portraying the situation.
> Even if one could argue that vendors deserve shaming for what might have been a simple mistake, users surely deserve better.
I'm arguing that the risk that the companies exposed people to prior to the announcement (to a small degree), and the risk people may be exposed to after the announcement (to a large degree) are the incentive for someone doing this to take advantage of a short. Would I personally prefer less public risk through a coordinated exposure? Sure. Am I willing to state that it should be required? I don't think so, since that may greatly reduce the incentive of someone looking to do the investigative legwork. I think that's a net loss for the public, since the risk is still there, it's just reduced (since it's not widely known), but it will exist in that reduced state for a long period (possibly indefinitely).
When the choice is between an unknown risk (which can by high) for an indeterminate period or a semi-high risk for a short period (with the ability to mitigate risk as needed, since you know about it), I'll take the latter over the former.
> The assumption being that nobody else knows about the flaws?
Not nobody, but fewer. The information in a disclosure like this will focus a whole lot of miscreants' attention on something they might not have thought of before.
> that may greatly reduce the incentive of someone looking to do the investigative legwork
Now you're the one making assumptions. Most people don't need the incentive of an immediate crisis to do that legwork. Often, the mere fact that the bugs are real is enough, regardless of timelines. In most other cases, the fact that the clock is ticking is sufficient. If somebody has a proven track record of taking these things lightly then forcing their hand might be justified. Otherwise, you're essentially telling people you think they're lazy or negligent when you have no evidence of such. That's not a good way to start a collaborative process, in a situation where collaboration might be key to a timely fix.
That logic works for full vs. limited (or no) disclosure, but not for immediate vs. 90-day disclosure. In general, the incentive for a vendor with a reasonable embargo period is the same as without, because the effect on their reputation is the same. The only people differently affected are users, who are left more vulnerable for longer than they would have been. Even if one could argue that vendors deserve shaming for what might have been a simple mistake, users surely deserve better.
It's very easy for those who do not suffer the damage from their actions to rationalize their impulsive (or in this case venal) behavior, but that's just another kind of agency problem that people who fling economic jargon around should consider.