I did not.
This is a meaningless distinction. If your personal and professional ethics are not aligned then you are, at all times, acting in cognitive dissonance. To elevate from all the painful ethics-101 rehashing, my ethical framework is fundamentally rooted in harm reduction and consequentialism. I don’t believe that any prescriptive framework is fundamentally moral. Further, I don’t believe intent should be a significant factor when determining the morality of an action. Having said that, as an anarchist I try not to miss opportunities to decentralize both power and knowledge.
It is is abundantly clear to be that the “responsible” approach to security disclosure standards in the industry has done incalculable harm over the years - creating a hierarchy of corporations who are able to patch and secure their systems before others - and thus develop a market advantage. Not to mention bugs being intercepted from private disclosure processes and exploited by government agencies.
“Responsible” disclosure has left both commercial and digital public infrastructure in complete disarray, removing evolutionary pressures that would otherwise obliterate vendors who refuse to respect the people who rely on their systems and thus, making all systems weaker.
Vendors who publish broken software do not have a right to keep that fact secret.
I have already answered this question. I’m not going to compromise my long standing ethics to serve contemporary politics. I trust that CAP members will understand that I have the integrity to do what I think is right, just and harm reductive, not what is expected by some arbitrary, prescriptive standard designed to propagate hierarchies of power.