Vulnerability disclosure policies

The fair price is surely that the vendor of the software fixes the bug you report, promptly and without attempting to charge customers more for the benefit of the fix to what was a defective product in the first place?

With open software that's all but guaranteed. Even if the lead developers or maintainers won't fix it, the source is available so anyone else who cares can fork it and fix it. Anyway, in the absense of a direct profit motive, developers are motivated to maintain their reputation. The last thing they want is for that to be tarnished by not fixing security issues.

With proprietary? There are many cases of Microsoft and their like burying their heads in the sand for months or years until the bug is being exploited by vandals and criminals. There are also more than a few instances where the bug is fixed in the latest version only; no fix is made available to users of earlier versions who do not wish to pay to upgrade (or who may not wish to down, sorry up, -grade even if it were possible for free). In other words, the manufacturer is profiting by virtue of having sold a defective product in the first instance!

So my feeling is that zero disclosure is not unreasonable in the case of proprietary software. To put it crudely, screw them, because they are screwing you.