@da_667 Welcome to the club!
Yes, the "responsible" disclosure was designed to push as much responsibility to whoever finds The Bug and absolve everyone else. It is an emotionally-charged term, and I think purposefully so. You are supposed to feel bad about *not* doing it or doing it in a way The Company disagrees with. I mean, think of the children^W^W^Wusers! And then when you, in your silliness, try to do the supposedly right thing, and get a legal threat back -- well, folks, that ain't kind of the responsibility I remember ever taking upon myself. If I get threats and violence for doing supposedly good, I ain't doing good no more, sorry. Not interested. Maybe someone else will, I don't care. So I say we treat vulnerability disclosure as proper journalism, according to Orwell: "Journalism is printing what someone else does not want published; everything else is public relations."
Yes, the select few have made a fortune on bug bounties or whatever, but the vast majority gets breadcrumbs and the feeling of Doing The Right Thing. That feeling is where they got us. Taking responsibility for someone else's fuck-ups and feeling guilty for not being responsible enough, that's so weird, man. I didn't put the bugs in there, you did, dear company, by hiring the cheapest contractors to do the job and firing the one person who actually cared. We all know how it goes. After all, nothing a company does is in the interest of the end user or anybody else but the company itself and/or the shareholders.
So yeah, got a 0-day? To full disclosure, or sell it off if that's your thing. At least remember you got a choice here.
Sorry for a bunch of words, the topic hits rather close here too.