Limited disclosure. Responsible disclosure. Full disclosure. These are varying level of loose expectations or cultural norms that certain circles of communities in the security industry respected.
We’re so beyond that point. Security “researchers”, vulnerability buyers, software vendors, universities, the press, government and everyone in between are fragmented. Fragmented on twitter, facebook, blogs, forums, and (old school!) mailing lists. The discussions and announcements have moved from a small slice of the Internet (mailing lists and individual emails) to social media at large. There is no one culture or expectation anymore. There may be disclosure in the usual places, or it may be on the companies facebook or twitter feed. In plain view of everyone, not just security geeks. I expect this small tweak can have larger ramifications of the discourse.
There are no norms; however social content reaches everyone at the same time and communication is expected to be bi-directional, transparent and generally honest. If that’s true, then the vulnerability “owner” must interject itself into the disclosure and establish dialog and understanding. This is increasingly likely to be public.
Because the “disclosurer” can now dictate the public discussion. One last time: Social Disclosure has no particular custom or cultural norm (yet?).