No, they most certainly are NOT under any obligation to the users of the
software, any more than to the developers of it... Moral, or otherwise...
Besides which, publically releasing the details of the flaw they discovered
is benefiting and protecting the users, NOT exposing them to any kind of
risk... They WERE previously at risk for who-knows-how-long, because they
were using buggy, exploitable software; but, NOW, they've been informed of
the problems with it, and can take action to protect themselves... Therefore,
they are at much LESS risk than they were before the public disclosure!
It's really quite simple... You seem to be laboring under the delusion
that the security hole doesn't exist until it has been publically disclosed...
If that were true, then the "responsible disclosure" people might actually
have a valid point... But, it's not true in any way, shape, or form...
They don't CREATE these security holes merely by discovering their existence...
The holes were pre-existing, and it wouldn't be "responsible" or "moral" to
keep knowledge of their existence private, after they have been discovered...
In fact, it would be extremely dangerous and INCREASE users' risk, unless
you kept it completely to yourself, and you were honorable enough to never
take advantage of the security hole yourself... If you tell ANYONE about
it (even just the developers), you increase users' risk, unless you also
tell all of the users at the same time... Because, you can't vouch for
the ethics of everyone you tell (or everyone they tell, or everyone THEY
tell, or etc.)... Once you tell another living soul, the cat is out of
the bag, and you have to consider the exploit "in the wild", basically...
And, failing to inform the users in that case, and leaving them vulnerable
to being exploited by the hole all that time, is what is truly "irresponsible"
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds