What are the risks associated with the different disclosure philosophies, if there are any,
there are, the most known ones are informing the company and wait, informing the company and disclosing it or simply disclosing it. depending on the "color of hat" youre wearing can make this decision easy.
and which problems can you see with one or the other?
being the white hat that i am, i would always inform the company/person who owns the software first, and give him a time window (depending on the complexity of the vulnerability) to fix it. after that i would disclose it to the "scene". The only problem that occurs is that most companies dont appreciate the effort you took to hunt down the vulnerability. this can lead (depending on the country) to lawsuits and everything that comes with it.
Would you agree to the statement that responsible disclosure is only appropriate when doing a hired pentest for a client and not from an individual's perspective?
in an ideal world this would be the way to discover vulnerabilities. the problem that is addressed here lies with the average quality of software that is being produced. once this is taken care of (and again in an ideal world security would be implemented througout the whole development process) the only reason to do a pentest would be to check if all security measures are taken and all the settings are correct.
CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT
earning my stripes appears to be a road i must travel alone...with a little help of EH.net