Provide “safe harbor” policy regarding vulnerability reporting
Acknowledging exploits about a company that makes no effort to hear about security oversights can be risky depending on which way they decide to respond in the moment. Proceed with caution.
When a company deletes exploit reporting, stop until they’ve demonstrated a compelling commitment away from adversarial escalation and towards ethical response.
