Responsible disclosure reports vulnerabilities to the vendor privately, giving them time to patch before public disclosure — typically 90 days (Google Project Zero standard).
Full immediate disclosure creates immediate risk for unpatched users. No disclosure lets vendors ignore vulnerabilities indefinitely. 90-day coordinated disclosure balances vendor time with public risk. Bug bounty programs formalize this relationship.