Hello,
lately I had some discussions about disclosure philosophies. Although I am currently not really into any big exploit development scene I am still interested in this area. I would like to know if you follow any strict methodology in the disclosure process, and how you think on the moral and ethical site of this.

I have found a similar thread on this topic but which focuses more on the problems regarding certifications. Still interesting and may be read.

Personally I don't follow any strict rules as I think it depends on the case itself. Full disclosure, which is probably best known from H D Moore, is certainly important to push and force companies to supply patches and updates. Also if a vuln. was found which is not public yet, it doesn't mean that no one else is aware of it. But it also means that this information is available for everyone, although not everyone is patching it (if someone is aware of a critical hole in her system she will probably fix it, but often people with little computer knowledge are not aware of it, although it is well-known).
Another fact I like in full-disclosure is that vendors probably have to do something in order to fix the vulnerability to not lose any customers/ clients and "face", however, I have often experienced that companies don't even reply if they got informed first privately and got some time to fix the problem. Also I experienced that companies replied in a very angry manner and threatened the person who found the security issue with a sue when she publish her findings.

Although there are many advantages in full disclosure there are also disadvantages. When an exploit is released for some very critical systems it may cause huge damage before a patch can be supplied. Because of this reason I think that it is good in general (again, I think there is no methodology to apply for every case) to give first the information to the manufacturer (responsible disclosure) and publish it then after a certain period of time to the public (is there any guideline on how long to wait actually? Wikipedia writes about fourteen to thirty days but I read on some other websites about six months).

I would like to know how other EH-Netters think about this and if you stick to a certain routine..hope to have a little virtual discussion too.

I prefer a hybrid approach...

I would prefer vendors be given a chance to resolve the issue, if they don't take care of it in a reasonable amount of time then public disclosure lets everyone take steps to mitigate the issue.

Some companies (becoming fewer) attack the person who found the issue. In that case I would suggest the same as ElCapitan that you release the issue but maintain anonymity.

I understand that many would disagree with me since this topic seems to be as close to a a religious debate as PCI.