According to the bulk of the guidance, the aim of Responsible or Coordinated Vulnerability Disclosure (CVD) is to improve the security of IT systems by sharing knowledge about vulnerabilities. Owners of IT systems can then mitigate vulnerabilities before these will be actively abused by third parties. But with the sheer amount of guidance out there, is there sufficient advice for individual researchers or even just interested persons who discover 0days to be able to disclose without risk. This talk will address the balance of power between vendor and discloser and assess how weighted the guidance is towards vendors, to question if there really is a risk free way to disclose.
