Shodan has existed for at least a decade and you can't create a cloud instance anywhere these days without it getting immediately crawled. Literally, I was setting up a VPS last week and within 5 minutes of caddy getting a cert from lets encrypt (which then adds the hostname to the certificate transparency log) the access log lit up with dozens of requests per second, all requesting paths like `/wp-admin` and `/admin.cgi` and all sorts of things, looking for vulnerable software.

I wouldn't call this _responsible_ disclosure, but setting up software that is known to be riddled with security holes and granting it both direct access to the internet and to user data is - frankly - so irresponsible that it borders on negligence. If we had stronger standards for software engineering and IT we would call it malpractice.