When Responsible Disclosure Becomes Unpaid Labor

The vulnerability disclosure ecosystem is under strain from a surge in report volume driven by automated scanners and AI‑assisted fuzzing. Security teams are forced to triage thousands of low‑signal findings, while CVSS scores—mechanically calculated and environment‑agnostic—trigger costly escalation even for marginal bugs. This overload creates a de‑facto denial‑of‑service for researchers, who must now prove real‑world impact without compensation, eroding the goodwill that once underpinned responsible disclosure.

The React2Shell incident illustrates both the potential and the pitfalls of a well‑orchestrated response. Coordinated effort among the React Foundation, Vercel, AWS, and Cloudflare enabled rapid patch development, yet the flaw was already weaponized in the wild, highlighting that even best‑case coordination cannot eliminate downstream risk. Conversely, numerous cases involving unbacked open‑source libraries show researchers stuck in a gray zone where silence, severity wars, and legal threats become the norm, pushing some toward public disclosure or ethically dubious actions to force remediation.

For CISOs, the imperative is clear: treat disclosure as an operational function rather than a moral afterthought. Establish service‑level expectations for acknowledgment, publish transparent severity triage criteria, and provide legal safe‑harbor language to reduce adversarial escalation. Investing in third‑party coordinators, offering non‑cash recognition, and funding critical open‑source dependencies can close the incentive gap. By embedding these practices into vendor contracts and internal risk frameworks, organizations can restore trust, improve patch timelines, and mitigate the governance failures that arise when responsible disclosure collapses.