The guiding principle I recommend is âdisclose in the manner which maximally advantages good actors over bad actorsâ. As you note, this usually will mean something between âpublic broadcastâ and âkeep it to yourselfâ, and perhaps something in and around responsible disclosure in software engineering: try to get the message to those who can help mitigate the vulnerability without it leaking to those who might exploit it.
On how to actually do it, I mostly agree with Bloomâs answer. One thing to add is although I canât speak for OP staff, Esvelt, etc., Iâd expectâlike meâthey would far rather have someone âpesterâ them with a mistaken worry than see a significant concern get widely disseminated because someone was too nervous to reach out to them directly.
Speaking for myself: If something comes up where you think I would be worth talking to, please do get in touch so we can arrange a further conversation. I donât need to know (and I would recommend against including) particular details in the first instance.
(As perhaps goes without saying, at least for bioâand perhaps elsewhereâI strongly recommend against people trying to generate hazards, âred teamingâ, etc.)
The guiding principle I recommend is âdisclose in the manner which maximally advantages good actors over bad actorsâ. As you note, this usually will mean something between âpublic broadcastâ and âkeep it to yourselfâ, and perhaps something in and around responsible disclosure in software engineering: try to get the message to those who can help mitigate the vulnerability without it leaking to those who might exploit it.
On how to actually do it, I mostly agree with Bloomâs answer. One thing to add is although I canât speak for OP staff, Esvelt, etc., Iâd expectâlike meâthey would far rather have someone âpesterâ them with a mistaken worry than see a significant concern get widely disseminated because someone was too nervous to reach out to them directly.
Speaking for myself: If something comes up where you think I would be worth talking to, please do get in touch so we can arrange a further conversation. I donât need to know (and I would recommend against including) particular details in the first instance.
(As perhaps goes without saying, at least for bioâand perhaps elsewhereâI strongly recommend against people trying to generate hazards, âred teamingâ, etc.)