All the rage these days seems to be practicing the so-called "Responsible Disclosure" route of vulnerability disclosure, wherein Vendors are hand-held through the process of being notified of their bugs, spoon-fed the vulnerability information, and allowed months and months of time for them to create, test, and release a patch.

We think that's bullshit. We don't have the time, nor the desire, to hold a Vendor's hand during the process of fixing their crappy product.

Full-Disclosure, hereafter referred to as "Irresponsible Disclosure", specifically to mock the existence of this other sluggish and resource-intensive method of vulnerability disclosure which has been brought to the security research community and branded as "Responsible Disclosure" by by the very Vendors that have the most face to loose, is the official policy of the Computer Academic Underground.

Irresponsible Disclosure has been proved time and time again to not only allow consumers with vulnerable products to immediately test those products to identify if they are in fact vulnerable, but has also been proved to cause Vendors to develop and release patches much more diligently. It is folly to assume that because a vulnerability has not been publicly disclosed it is not being exploited in the wild. By causing Vendors to patch more quickly, the window of opportunity for exploitation is drastically shortened, and therefore is better serving those who are vulnerable rather than the vendors who introduced the vulnerability to the consumers in the first place. Responsible Disclosure is analogous to Gun Law; When you take away the guns from law-abiding people, the only ones with guns are the criminals. Such is the case for vulnerability information; When you don't allow the public to have the information, the only ones who likely have it are the malicious folk who want to keep it private and use it for nefarious purposes.

In all seriousness though, the Computer Academic Underground has no official disclosure policy. Each member of CAU makes their own decisions about what and when to disclose, made on a case-by-case basis regarding individual vulnerabilities, the impact they pose, and the consumers and vendors involved.