"Responsible disclosure" is a coercive term. It implies that it's irresponsible to do anything else. "Coordinated disclosure" is far better.

That said, coordinated disclosure is the neighborly thing to do, but it's by no means a moral obligation. It would be perfectly fine for the author to tweet about it, for example.

No moral obligation? I don't think many people would agree with you on that.

If you are actively poking around at someone's home and you find an unlocked window, you don't think there is a moral obligation to inform the owner of the security issue? No moral issues if you then find a group of hoodlums down the street and announce that house 123 has an unlocked window?

I can see if you were just driving by and saw the window open, you don't really have any obligation (unless you plan to announce it publicly) but if you are actively seeking out security flaws in someone else's property, not disclosing it to the owner and then announcing it or worse, selling it to potentially bad actors seems morally reprehensible.

This isn't equivalent to "If I leave my door unlocked..." scenarios. It's perfectly legal to register any .io name you want. You can't go poking around someone's house.

The situation is more analogous to discovering that a certain type of door offers no protection, even though it seems to lock. It's perfectly fine to tweet about that, regardless of how many people have that door. The blame lies on the company, not the messenger.

That would still be unethical. An ethical person would not commit acts which they know have the potential to cause harm to innocent people.

If you're a black hat and you don't give a shit about potential legal ramifications or any injury to anyone (partly because you fear no consequence), there's probably nothing unethical to you about fucking over a bunch of innocent people just so you can "spank" some douchebag management company into following best practices.

If you're a professional, or even a non-douchebag adult, who finds value in the ideal of protecting the innocent customers of a dangerously irresponsible corporation, you would want to work first toward protecting those individuals, and then focus on disciplining the corporation.

It represents a moral judgement that it is absolutely not okay (or perhaps: irresponsible) to screw over n+y people for the actions of n people.

This moral judgement is mistaken because its premise is false. The moral blame lies on the company that allowed the problem to happen, not the person calling attention to it. It's not at all the same as "if I leave my door unlocked..." type scenarios. It's perfectly legal to register .io's nameservers.

That's a cop out. If your actions reasonably cause harm to other people, regardless if those actions are "calling attention to" or actually pulling the trigger, that's a moral evil.

If someone goes around the town telling everyone that you leave your door unlocked, while they can't be legally held responsible, they're still morally responsible if someone goes in and steals your stuff armed with that knowledge.

Companies fixing their stuff before that happens is in everyone's best interests at the end of the day - hence responsible disclosure.

Frankly, yes, a little bit. You're choosing to run your website/infrastructure/etc with a dependency on a sketchy service with no oversight (the ccTLD system in general, but .io in particular). Unless you suffer for this choice, the market for provider competence will be broken.

That nobody had any idea was sketchy or un-oversighten until recently. It was not a choice to run their website/infrastructure/etc on sketchy services at all.

No. People who care about internet-scale infrastructural issues have known about these issues for a very long time. However, most people who utilize (and depend on) these services have not taken the time to understand how they work.

Because it's a simple transaction. I pay someone for a domain, I get said domain.

Jimmy Throwawaysite shouldn't have to take the time to understand how DNS works above knowing how to set DNS records, the oversight should come from above. If ICANN wants to let anyone with a couple hundred thou run a TLD they should be making sure that entity can technically manage the TLD.