The WordPress security provider Wordfence makes a big deal about doing responsible disclosure of vulnerabilities, despite not doing that. Responsible disclosure involves notifying the developer first and giving them a chance to address the vulnerability, before notifying anyone else. In Wordfence’s disclosure policy, they claim to do responsible disclosure and then go on to say they will sell information about the vulnerabilities to those using their Wordfence Premium service in the form of firewall rules before even notifying the developer. That policy also obliquely acknowledges that those firewall rules could be misused:

Where possible, we develop a firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering. [Read more]