In my experience, if they don’t have a clear procedure, they’ll just waste your time, and treat you as a criminal.
Also, they might have one but the same will happen if their security flaw is key to their differentiating feature.
It took me a while not to think of “responsible” as a duty to report it by default. I mean, if it’s related to your country report it to the authority. Outside that, to me, responsible is how the organization notifies its users or how it contains the damage.
For example, Apple could prompt you: “Shutdown your phone while we fix a problem”. That way the user is given the security option of taking the risk or using another phone.
Another responsible example would be more like shutting down the affected service while it is fixed.
Also, they might have one but the same will happen if their security flaw is key to their differentiating feature.
It took me a while not to think of “responsible” as a duty to report it by default. I mean, if it’s related to your country report it to the authority. Outside that, to me, responsible is how the organization notifies its users or how it contains the damage.
For example, Apple could prompt you: “Shutdown your phone while we fix a problem”. That way the user is given the security option of taking the risk or using another phone.
Another responsible example would be more like shutting down the affected service while it is fixed.