What is responsible disclosure?
Last reviewed June 2, 2026
Responsible disclosure is the practice of privately reporting a discovered vulnerability to the affected vendor and giving them reasonable time to release a fix before any public details are shared. The goal is to get the flaw patched while minimizing the window in which attackers could abuse it. Coordinated disclosure is the modern, more collaborative term for this process.
What responsible disclosure means
Responsible disclosure is an agreement, often informal, between security researchers and vendors. A researcher who finds a vulnerability reports it privately to the vendor instead of publishing it immediately, and the vendor commits to investigating and fixing it. Public details are released later, usually once a patch is available, so defenders can act but attackers gain little head start.
The core tension it resolves is between secrecy and transparency. Releasing details too early helps attackers; never releasing them leaves users unaware of risks. Responsible disclosure aims for the middle path: fix first, then inform.
How the process works
A typical responsible disclosure follows a predictable sequence, often guided by a published vulnerability disclosure policy or a bug bounty program.
- The researcher finds and verifies a vulnerability.
- They report it privately through the vendor's disclosure channel.
- The vendor acknowledges, validates, and works on a fix.
- Both parties agree on a disclosure timeline, often around 90 days.
- The fix ships, then the details (and often a CVE) are published.
Coordinated vulnerability disclosure
Coordinated vulnerability disclosure (CVD) is the term many organizations now prefer over responsible disclosure, because it emphasizes cooperation rather than implying that anyone reporting differently is irresponsible. CVD often involves more than two parties: researchers, vendors, coordinators such as a CERT, and CNAs that assign CVE identifiers.
Coordination becomes essential when a single flaw affects many vendors, for example a vulnerability in a widely used library. A neutral coordinator helps synchronize patches and a joint disclosure date so that no vendor is left exposed when the details go public.
How it differs from other models
Two contrasting models help define responsible disclosure. Full disclosure publishes all details immediately, arguing that public pressure forces fast fixes and that attackers may already know the flaw. Non-disclosure keeps a flaw secret indefinitely, which leaves users unprotected and is how zero-days persist. Responsible and coordinated disclosure sit between these extremes, balancing speed of fixing with user safety.
| Model | When details go public |
|---|---|
| Full disclosure | Immediately, before any patch |
| Responsible / coordinated | After a fix, on an agreed timeline |
| Non-disclosure | Withheld, sometimes indefinitely |
Keep exploring
- What is a zero-day?What happens when disclosure does not occur first.
- What is a CVE?Identifiers assigned during disclosure.
- What is a proof-of-concept exploit?Often published alongside disclosure.
- Browse CNAsThe numbering authorities that assign CVE IDs.
- What is vulnerability management?What defenders do once a flaw is disclosed.
Frequently asked questions
- What is the difference between responsible and coordinated disclosure?
- They describe the same goal. Coordinated vulnerability disclosure is the preferred modern term because it stresses cooperation among researchers, vendors, and coordinators, rather than implying other approaches are irresponsible.
- How long is a typical disclosure deadline?
- Many programs use a window of around 90 days from the report to public disclosure, though it varies. The deadline pressures vendors to fix promptly while giving enough time to develop a quality patch.
- What is the difference from full disclosure?
- Full disclosure publishes all details immediately, before a patch exists. Responsible and coordinated disclosure withhold details until a fix is available, reducing the window in which attackers can exploit the flaw.
- What happens if a vendor ignores a report?
- Researchers often publish after a stated deadline even without a fix, arguing that users deserve to know. Clear disclosure policies and coordinators help avoid this by keeping vendors accountable to a timeline.
