Microsoft proves responsible disclosure doesn't work

I find that when I try to discuss "responsible disclosure" with otherwise rational people, they get defensive and claim I'm "imputing motives". So let's show how the inventors of "responsible disclosure" have proven that it doesn't work, without resorting to name-calling or motive-imputing.

We're going to use the method of modus tollens. If you can't handle that, then you should probably stop reading right now.

Microsoft is the pioneer of "responsible disclosure", and they lay out how it works here:

The responsibility for Microsoft's products rests with Microsoft alone, and we take that responsibility very seriously. However, there has traditionally been an unwritten rule among security professionals that the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it.

This serves everyone's best interests, by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious users while the update is being developed. After customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.

We can easily demonstrate ~Q. Here are a couple of examples:

January 21, 2010, 3:40PM
Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update. The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

The vulnerability used in the attacks (CVE-2010-0249) was privately reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-0249.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of limited attacks attempting to exploit the vulnerability.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
While the original report was reported privately to Microsoft, the vulnerability [CVE-2010-0806] was later disclosed publicly by a separate party.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of attacks attempting to exploit the vulnerability.

So we have two separate examples of ~Q from 2010 alone!

Thus, using modus tollens, and claims and evidence solely from Microsoft, we can demonstrate that ~P, or in other words, the discoverer of a security vulnerability does not have an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it.

Sadly, even Google, who is rather forward-thinking in terms of its policies for dealing with third-party security researchers, can't even come to accept ~P, and instead is trying to fix responsible disclosure. Good luck with that.