Vulnerability disclosure is general is just miserable. Before all the bug bounty issues it was pretty common to:

* Spend ages trying to find someone to submit a report to.

* Waste a whole load of time fighting through the generic contact and support desks to try and get your report to someone who understood it.

* Get completely ignored by the developers.

* Spend time reporting a bug only for them to silently fix it without even bothering to respond to you, let alone acknowledge you.

* Get legal threats for making a good-faith bug report, even if you found it in an locally deployed instance of the software.

* Get called a black hat and more legal threats when you give up and just go down the full disclosure route.