The guiding principle I recommend is ‘disclose in the manner which maximally advantages good actors over bad actors’. As you note, this usually will mean something between ‘public broadcast’ and ‘keep it to yourself’, and perhaps something in and around responsible disclosure in software engineering: try to get the message to those who can help mitigate the vulnerability without it leaking to those who might exploit it.
On how to actually do it, I mostly agree with Bloom’s answer. One thing to add is although I can’t speak for OP staff, Esvelt, etc., I’d expect—like me—they would far rather have someone ‘pester’ them with a mistaken worry than see a significant concern get widely disseminated because someone was too nervous to reach out to them directly.
Speaking for myself: If something comes up where you think I would be worth talking to, please do get in touch so we can arrange a further conversation. I don’t need to know (and I would recommend against including) particular details in the first instance.
(As perhaps goes without saying, at least for bio—and perhaps elsewhere—I strongly recommend against people trying to generate hazards, ‘red teaming’, etc.)
The guiding principle I recommend is ‘disclose in the manner which maximally advantages good actors over bad actors’. As you note, this usually will mean something between ‘public broadcast’ and ‘keep it to yourself’, and perhaps something in and around responsible disclosure in software engineering: try to get the message to those who can help mitigate the vulnerability without it leaking to those who might exploit it.
On how to actually do it, I mostly agree with Bloom’s answer. One thing to add is although I can’t speak for OP staff, Esvelt, etc., I’d expect—like me—they would far rather have someone ‘pester’ them with a mistaken worry than see a significant concern get widely disseminated because someone was too nervous to reach out to them directly.
Speaking for myself: If something comes up where you think I would be worth talking to, please do get in touch so we can arrange a further conversation. I don’t need to know (and I would recommend against including) particular details in the first instance.
(As perhaps goes without saying, at least for bio—and perhaps elsewhere—I strongly recommend against people trying to generate hazards, ‘red teaming’, etc.)