>> We call this responsible disclosure.
> are you accusing me of being a liar
I'd not done so. I don't discount responsible disclosure as existing: I'd certainly want to see a zero-day exploit reported to the authors, first, so that they can get a chance to publish a patch before the flaw spreads in the wild, and I _report_ flaws directly to vendors and authors when I encounter them.
I've explained other, more selfish reasons that a vendor or a security researcher might decline to publish full details, reasons that could be and often are hidden behind the explanation of "responsible disclosure". Ignoring such motives would be naive. Vendors can, and do, hide behind rubrics of "responsible disclosure" to avoid the effort, especially significant redesign efforts, to actually fix the problem. Microsoft and CERT are the classic example of this. Microsoft product flaws are reported to CERT and remain undisclosed, for years, under "responsible disclosure" policies that provide little incentive to actually fix the dangerous, longstanding flaws..
I've certainly seen the problem personally when reporting or trying to fix security flaws. Given the length of my career, I've even seen architectural security flaws that have never been fixed because they would force a change in workflow, and that was unacceptable to the vendor or to the users. And I've had numerous business partners I've worked with get upset when I disclosed their security vulnerabilities to their own engineering staff, who'd not reviewed the consequences of their choices or had been deliberately kept out of the loop by their own supervisors.
Your immediate response of "are you accusing me of being a liar" is.... well, it seems based on my thinking that you actually work in security. I'm afraid that based on your apparent naivete, I can't conclude that. The idea that claimed "responsible disclosure" is always just that would be frankly naive.