Responsible Disclosure
Responsible disclosure is the practice of privately reporting discovered security vulnerabilities to the affected vendor or organization, giving them time to develop and deploy a fix before the vulnerability is made public.
Responsible disclosure, also known as coordinated vulnerability disclosure (CVD), is an ethical framework governing how security researchers report discovered vulnerabilities to affected parties. The core principle is that researchers should notify the vendor or organization privately and allow a reasonable timeframe for remediation before disclosing the vulnerability publicly. This approach balances the need to protect users with the imperative of transparency and accountability.
The responsible disclosure process typically follows a defined timeline. The researcher discovers and verifies the vulnerability, then reports it to the vendor through a designated security contact, bug bounty program, or responsible disclosure policy. The vendor acknowledges the report, investigates the issue, develops a fix, and deploys it. After the fix is available, the vulnerability details may be publicly disclosed. Industry standard timelines typically range from 90 days (Google Project Zero) to 120 days, though complex issues may require extensions.
Responsible disclosure exists as a middle ground between two alternative approaches. Full disclosure advocates for immediately publishing vulnerability details to pressure vendors into rapid fixes, but this exposes users to risk before patches are available. No disclosure, where vulnerabilities are reported but never made public, removes the incentive for vendors to address issues promptly and prevents the security community from learning about threats.
Many organizations establish vulnerability disclosure policies (VDPs) that provide clear guidelines for researchers, including where to report, expected response timelines, safe harbor protections against legal action, and whether financial rewards are offered. ISO 29147 and ISO 30111 provide international standards for vulnerability disclosure and handling. A mature responsible disclosure program strengthens the relationship between organizations and the security research community, ultimately improving security for everyone.