It's a common misconception that making a vulnerability public immediately is the responsible thing to do. Instead, responsible vulnerability disclosure involves privately disclosing 0-day vulnerabilities to allow maintainers time to issue a fix or patch before making it public. This balance between minimizing private and public exposure is key. Many software companies have official disclosure policies in place, but open source packages often lack them, leading to challenges in following a responsible disclosure process. However, by following a proper vulnerability disclosure process, maintainers can triage the issue without urgency, assign fixes, and disclose publicly once the release is ready, ensuring the vulnerability cannot be abused negatively. Snyk has established a vulnerability disclosure program to bridge this gap, providing a secure way for researchers to report vulnerabilities and work with maintainers to get them fixed.