There’s no best way to handle disclosure of zero-day vulnerabilities