Cybersecurity - Memes

Disclosure to the company is only half of responsible disclosure.

1. Report bug to company privately, and specify a date where the details will be made public. 90 days is a good starting point, but there is room for negotiation up or down depending on how complex the bug is (more complex = harder for someone else to discover = less urgency to patch) and how much impact there is (more impact = more risk if someone malicious discovers it = more urgency)
2. While you wait, apply for a CVE number and determine a CVSS score - this helps signal how critical the bug is
3. Once the company publishes a patch (or the embargo date is reached, which ever comes first), publish details of the research

The point of responsible disclosure is to balance the vendors need to have time to fix security bugs before the details are publicly known against the customers right to know that there are unpatched bugs so they can take measures to mitigate their risks. It isn't a free pass for vendors to never patch things