(no title)

As much as I support these kinds of programs (https://nealpoole.com/blog/responsible-disclosure-programs/), that's a false dichotomy. Some companies have responsible disclosure policies or vulnerability reward programs. Some companies don't.

Anecdotally, the companies that do have programs don't inherently respond more quickly or handle reports better (ie: https://nealpoole.com/blog/2013/04/experiences-with-the-yand..., https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my...). In contrast, companies that don't have programs may still be very responsive and willing to work with researchers; I reported issues to GitHub, Etsy, and Facebook before their respective programs were in place and they always responded quickly and effectively.

It comes down to the people who focus on security at the company and the way in which security is prioritized. If your company doesn't value and prioritize security, a responsible disclosure program won't make anyone's life easier.

In that sense, I do think that companies can and should do a better job of working with security researchers, regardless of whether they have a responsible disclosure program or vulnerability reward program in place. If a company takes security seriously, it should make it easy for researchers to report vulnerabilities. Researchers shouldn't feel that their reports are being sent into a black hole: if they do, they'll be less likely to spend their time reporting issues in the future.