Please consider replacing the term "responsible disclosure" with "coordinated disclosure", and revise your steps accordingly. Non-coordinated disclosure isn't necessarily "irresponsible", and the suggestion that it is is frowned upon among serious testers, which are presumably the ones you want to attract with disclosure policy.

And it's worth remembering that any kind of disclosure "policy" is a request for a favor from the researcher, so it's good to word things accordingly. You wouldn't generally ask for a concession (like honoring an embargo on publicly reporting a finding you took time to generate) right after also "asking" the reporter to report "in good faith".

Done. Thank you for the advice, and all your security work.

https://github.com/joelparkerhenderson/coordinated_disclosur...

If you have anything more you want in it, please let me know.

Isn't responsible disclosure the aim here? I don't think substituting coordination for responsible is a sensible strategy for your project.

The coordination is inherit from the fact that they are honouring your disclosure policy. The word coordinated is redundant.

Objectively, it should be called a "security disclosure" policy.

You make good points.

How would you improve it to clarify the aim is to be generally useful for both sides?

For example, when I personally discover a security issue, I want to be able to report it to a company, and also include a link to this doc, and ask "Here's how I suggest we interact and why; what do you think?".

Once again, "responsible disclosure" is a term of art in the industry, and it communicates something he probably doesn't mean to communicate.