To get us started, here are some of my thoughts...
Responsible disclosure is important when the potential impact of a vuln is large.
Responsible disclosure can allow maintainers to hide from the issue.
Public disclosure can act as a call to action for the community
Public disclosure puts the maintainer on a timeline meaning they need to react quickly (can be seen as both bad and good)
In my opinion, both are necessary for different use cases and depending on the size of the package. But, if I had to pick one, I think I would side with public disclosure when talking about open source packages, as it is hard to find an attack vector when the package isn't tied to a specific organization, and so the benefit of open disclosure (for me) outways the negative effect it could possibly have.
Feel free to fight me on any of this...
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
To get us started, here are some of my thoughts...
In my opinion, both are necessary for different use cases and depending on the size of the package. But, if I had to pick one, I think I would side with public disclosure when talking about open source packages, as it is hard to find an attack vector when the package isn't tied to a specific organization, and so the benefit of open disclosure (for me) outways the negative effect it could possibly have.
Feel free to fight me on any of this...