> exist to capture and prevent responsible disclosure, not encourage it.

I will say that Google's VRP is the exception. They have top notch people who answer the initial report, will keep you in the loop (usually) and will consider impact if you'd gone further. BC or H1 are hit or miss, and more often miss.

I can see why; if it's software that isn't easily or frequently patched or it takes a long time to update everyone and roll out the update, AND the exploit isn't known elsewhere yet / actively abused, keeping the report under wraps to try and protect the unpatched installations for as long as possible makes sense. Yes it's security by obscurity, but if you're the first to find it then the obscurity was effective.

I don't think I make this argument regularly and I wouldn't absolutely say that's the goal of the platforms themselves, but it's an effective outcome - in most cases participating in the program means accepting terms that say you won't disclose without permission, and if the vendor never grants permission you have the choice of disclosing (and potentially being kicked off the platform and also losing any safe harbor protections you had) or just saying nothing.