If they want to be seen as responsible rather than opportunistic, then yeah, they should do a proper coordinated disclosure.

Sure, they have no legal obligation to disclose, but we all also have no legal obligation to buy their services. Blacklisting bad actors like this is the right move to discourage this kind of behavior.

Unfortunately this is correct. As a security researcher I set millions in profit on fire for reporting vulns to projects that offer no bounties vs selling to highest bidder. I keep doing it because it is the right thing to do, but I would not blame someone that needs to feed their family making a different choice.

We must get public funds to reward ethical disclosure of big impact vulns like this.

> are free to sell 0day for profit.

This is not true in many jurisdictions.

I'm pretty sure they have a legal obligation in most jurisdictions not to sell 0days for profit.

And they absolutely have a moral obligation to do things in a way to minimize damage and impact to other people's systems. (I'm not saying "responsible disclosure" is the correct way to do that, but hoarding vulnerabilities and exploits and selling them to the highest bidder certainly isn't.)

This is how society needs to work.

> Researchers are under no obligation to engage in coordinated disclosure and are free to sell 0day for profit. Just fyi. Be glad it was disclosed at all.

I'm so glad these so called "researchers" aren't totally evil, I'm so grateful they're only half evil, give them a lollipop.

Whatever, the way they disclosed it isn't much different from no disclosure at all - the exploit would have been identified in the wild and fixed soon thereafter.

"Researchers"...

mmmmmm, no it would seem like they are absolutely under a social obligation to not do that.

[flagged]

> Researchers are under no obligation to engage in coordinated disclosure and are free to sell 0day for profit.

Uh... no? If you mean legally, some people might, depending on jurisdiction. But also, ethically? yes, researchers are ethically obligated to disclose responsibly.

> Just fyi.

...

> Be glad it was disclosed at all. Be glad a patch was available prior to release.

I am glad that a patch was available. Equally I can be glad that the linux community is strong enough to respond quickly, while also being angry that this person behaves unethically.

Likewise, when people in my industry behave poorly, or unethically; I'm now the person ethically obligated to both point it out, and condemn it. Not to become an apologist demanding I should be happy watching bad things happen, when much of the fallout could have been prevented with a bit less incompetence and ignorance.

They should have a legal obligation to engage in coordinated/responsible disclosure, and it should be a crime to sell or disclose a 0day to anyone other than a state-designated security organization or the vendor/provider.

If it won’t be handled through criminal law then it’ll be handled through civil litigation: Anyone who was exploited as a result of this disclosure should sue the discloser for contributing to the damage they’ve suffered.