We need to pass laws that forbid retaliation against disclosure, and require bounty programs. It might even make sense to have disclosure go through a public agency to arbitrate, and bond companies to that agency, much like we do with contractors.
They probably want to check PoC into their repository and banks take a very dim view on unprofessional language in the DB. I would only be slightly surprised had the terms included: "All code must be written while wearing professional attire"
You may be right, but I suspect the causality is reversed: maybe there's a widespread sense that good laws cannot be written because, empirically, the people who make laws do so in devastatingly dumb ways.
Whatever issue will immediately become a political football, and will end up being not only ineffective at the initial intention, but also include terrible side effects and dangerous footguns. Whether this is the result of a basically broken system of legislature, or of allowing the laws be drafted by the people they are supposed to protect against, or a combination of both, or something else entirely, I'm not qualified to say.
But I can say this: when I hear of some political ambition to make something better with a new law, I don't expect it to go well.
When I hear of some political ambition to make something better through inaction or through demolishing Chesterton's Fence, I don't expect it to go well.
It's also a product if writing good laws is really hard because the people writing them are outside the industry, different from the people enforcing them, and often different from the people it affects.
Better to remove barriers and things that silo and centralize power.
Which is why lobbying ostensibly exists: people in the industry know best.
To counteract this a consumer group or union of those affected would be required, but that's a bit tough when they are usually the ones spending the money, not earning it.
If someone discovers a security vulnerability in a computer system, and they notify the operator or party responsible for maintenance of the system, then, starting 90 days after the notification was received, they may publicly disclose the vulnerability without fear of civil or legal repercussions.
If they use the vulnerability to exploit a system that is outside of their own administrative control (beyond developing a proof of concept), or transfer the information with intent to facilitate third party exploitation of the vulnerability, then the above protections do not apply.
I’m sure a lawyer worth their salt could turn that into an iron-clad law.
Since the people in charge are basically the same rich morons as (or in the pocket of) the ones doing this to researchers, I wouldn't hold my breath.
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
