I am almost finished with the article, so I wasn't exactly looking for answers to my questions. I thought it might be useful as some kind of input.
zeroflaw wrote:It's a bit of common sense in my opinion as you don't want to hurt the company.
Here it also depends on the viewpoint, in my opinion. Disclosure must not mean that you try to hurt a company. E.g. if you have found a vulnerability, report it to the vendor and then wait, how can you know, that not someone else have found the same vulnerability and is using it? During the whole reporting- and waiting process, it's not clear how many people are already aware of it and exploit it to their benefit. Full-Disclosure might here force the vendor very hard, as already stated by Ketchup, to take action and come up with a fix.
If you were hired by a vendor to do a vulnerability assessment or pentest, this question does not come up, as it's clear that you findings belong to the vendor only. I think it must be differentiated between the viewpoints here.
Unfortunately some ignore [them] totally, which can be very frustrating. I have seen quite a few vendors who not only ignored the reported vulnerabilities, but even tried to threaten the researcher with legal measures. I think that's a sad thing, as usually one tries to be of help when reporting to the vendor directly. Even if one gets a response, it doesn't mean that it will be really dealt with it then. It might not be the duty of the researcher to keep up the contact with the vendor, but often it seems like it. Another question which might come up once a vulnerability was reported, is how long one should actually wait until the information is given to the public.