Coordinated or Responsible Disclosure

This is a cybersecurity practice or policy which promotes the disclosure of security vulnerabilities to the affected vendor first, before public disclosure. If a software or hardware vulnerability is announced publicly before a fix is available, then bad actors (“hackers”) will learn about it, and be able to exploit it before it gets fixed.

With a coordinated or responsible disclosure process, the party that identified the vulnerability will directly contact the party which can fix it, and not go public until the fix is in place, or ready to be rolled out.

For example, here is Microsoft’s published policy:

Under the principle of Coordinated Vulnerability Disclosure, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately.

This is why when news reports break about software vulnerabilities, the public is often urged by the vendor to upgrade, because the vulnerability was disclosed to them weeks ago, they have prepared a fix, and it’s waiting for customers to deploy it.

This can be problematic with open-source software. If a vulnerability is found in open-source software, the fix cannot be distributed without also disclosing it. In some projects, this means that a “critical vulnerability” is announced, and a date is set for the fix to be released. without explaining what the vulnerability actually is. This is to give time for users of the software to prepare for an expedited upgrade as soon as possible after the fix is released and the community of bad actors becomes aware of it.