What is coordinated vulnerability disclosure (CVD)?
Last reviewed June 2, 2026
Coordinated vulnerability disclosure (CVD) is the process by which a person who finds a vulnerability reports it privately to the vendor or a coordinator, and the parties work together so a fix is available before the details are made public. The goal is to reduce the window in which attackers can exploit the flaw while defenders are unprotected. It contrasts with full disclosure (immediate public release) and non-disclosure (never reporting).
CVD in one sentence
Coordinated vulnerability disclosure is the practice of reporting a vulnerability privately first, giving the vendor time to develop and release a fix, and only then disclosing the details publicly. It is sometimes called responsible disclosure, though many practitioners prefer the more neutral coordinated.
The premise is simple: publishing exploit details before a patch exists hands attackers an advantage, while never disclosing leaves users unaware of risks they cannot manage. Coordination balances the two.
How the process works
A typical CVD flow moves through a few stages, often facilitated by a coordinator such as CERT/CC when the finder and vendor cannot resolve it directly or when many vendors are affected.
- Discovery: a researcher, customer, or internal team finds the flaw.
- Private report: the finder notifies the vendor or a coordinator, often via a published security contact or bug bounty channel.
- Triage and fix: the vendor confirms the issue, reserves a CVE ID, and develops a remediation.
- Coordinated release: the vendor publishes a patch and a security advisory, and the finder may publish details, usually after an agreed timeline.
Disclosure models compared
Coordinated disclosure sits between two extremes. Understanding all three clarifies why coordination is the widely recommended default.
| Model | When details go public | Trade-off |
|---|---|---|
| Coordinated (CVD) | After a fix is available, on an agreed timeline | Balances user protection with transparency |
| Full disclosure | Immediately, regardless of a fix | Maximum pressure to fix, but exposes users meanwhile |
| Non-disclosure | Never reported publicly | Leaves users unaware and unprotected |
Timelines, deadlines, and the CVE link
Coordinators and researchers commonly set a disclosure deadline, often around 90 days, to keep vendors accountable while allowing reasonable time to fix. If a flaw is already being exploited in the wild, timelines compress sharply. During coordination a CVE ID is usually reserved early, which is why you sometimes see a CVE referenced before its details are published.
When the embargo lifts, the vendor publishes a security advisory, the CVE record moves from reserved to published, and downstream systems like the NVD and CISA's Vulnrichment begin enriching it.
Keep exploring
- CVE lifecycleReserved to published mirrors the disclosure flow.
- What is a security advisory?The notice published when disclosure happens.
- What is a CNA?Who coordinates disclosure and assigns the CVE.
- What is VEX?Stating whether a product is actually affected.
- What is a CVE?The identifier reserved during coordination.
Frequently asked questions
- What is coordinated vulnerability disclosure?
- It is the process of privately reporting a vulnerability to the vendor or a coordinator, allowing time to develop a fix, and then disclosing the details publicly once a patch is available, to minimize the window of exposure.
- How is coordinated disclosure different from responsible disclosure?
- They describe the same idea. Many practitioners prefer coordinated disclosure because responsible can imply that other choices are irresponsible, which is contested.
- What is a typical disclosure deadline?
- Around 90 days is a common default, giving vendors time to fix while keeping them accountable. Deadlines shorten significantly when a vulnerability is already being actively exploited.
- Why does a CVE sometimes appear before any details?
- Because the CVE ID is reserved early during coordinated disclosure. The reserved state lets people cite the identifier before the details are published with the fix.
