> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)