CVE Chapter

How Does Responsible Disclosure Work?

Jul 3, 2026 · 9 min read · Beginner

What is Responsible Disclosure?

Responsible disclosure — also called coordinated vulnerability disclosure (CVD) — is the practice of privately reporting a security vulnerability to the organisation responsible for the affected software before making it public. The goal is to give the vendor time to develop, test, and release a patch, so that users can be protected before attackers learn the details.

It sits at the intersection of two competing values:

Responsible disclosure balances both: the public eventually gets the information, but only after a fix is available.

Disclosure Models

Three main approaches to vulnerability disclosure have emerged in the security community.

ModelProcessProsCons
Responsible (Coordinated) DisclosureReport privately → wait for patch → publishUsers protected at disclosure; builds vendor trustVendor may delay or ignore; researcher gets no credit during embargo
Full DisclosurePublish all details immediately with no vendor noticePressures vendors to patch; no vendor suppressionAttackers get the details before a patch exists; users at risk
Bug Bounty (Structured)Report via bounty platform → vendor has defined SLA → researcher paid → details published after patchFinancial incentive; defined timelines; legal clarityLimited scope; some researchers prefer non-bounty channels

The security industry has largely converged on coordinated disclosure as the responsible standard, with bug bounty programmes providing the infrastructure to make it financially viable for researchers.

The Coordinated Disclosure Process Step by Step

Day 0: Discovery Researcher discovers the vulnerability

The researcher identifies a security flaw through code review, fuzzing, dynamic analysis, or reverse engineering. They write a proof of concept to confirm the vulnerability is real and exploitable.

Day 1–7: Initial Private Report Researcher contacts the vendor

The researcher submits a detailed private report to the vendor via their official security channel ([email protected], a bug bounty platform, or a PSIRT portal). The report includes: vulnerability description, affected versions, reproduction steps, and PoC code.

Day 7–14: Vendor Acknowledgment Vendor confirms receipt

The vendor acknowledges the report, confirms it can reproduce the issue, and provides an estimated timeline for a fix. If the vendor does not respond within 7–14 days, the researcher typically sends a follow-up.

Days 14–90: Patch Development Vendor develops and tests the fix

The vendor develops the patch, tests it for regressions, and coordinates internal release processes. For complex vulnerabilities affecting many products, this can take the full 90 days. The researcher may provide additional technical assistance.

Day ~90: Patch Released Vendor publishes the fix and CVE is disclosed

The vendor publishes the patch, a security advisory, and a CVE ID (assigned earlier in the process). The researcher publishes their technical write-up, often simultaneously.

Post-disclosure: CVE Enrichment NVD adds CVSS scores and CPE data

The NVD processes the CVE entry, adds CVSS scores, CWE classification, and CPE affected software lists. Security scanners update their plugin databases. Organisations begin patching.

Disclosure Timelines

The most important decision in responsible disclosure is how long to give a vendor before going public, even if no patch exists.

OrganisationDefault DeadlineExtensionNotes
Google Project Zero90 days+14 days if patch is imminentStrict; publishes on deadline even without a patch
CERT/CC45 daysVariesLonger for complex multi-vendor issues
HackerOnePer-programme SLAPer programmeUsually 90 days; can be extended by mutual agreement
BugcrowdPer-programme SLAPer programmeSame as HackerOne
Zero Day Initiative (ZDI)120 daysVariesTrend Micro-owned; buys and coordinates vulns
MSRC (Microsoft)90 days (following Project Zero)+30 daysMicrosoft adopted 90-day standard following pressure

Google Project Zero and the 90-Day Standard

Google Project Zero, launched in 2014, is a team of elite security researchers whose mission is to find and responsibly disclose vulnerabilities in widely used software — not just Google's own products.

Project Zero introduced a strict 90-day disclosure deadline: after 90 days (with a possible 14-day extension if a patch is imminent), Project Zero publishes full vulnerability details regardless of whether the vendor has released a patch. This firm stance was controversial when introduced — vendors complained that 90 days was too short for complex vulnerabilities — but it dramatically accelerated the industry's average patch times.

Project Zero's database of disclosed vulnerabilities is public at googleprojectzero.blogspot.com. Their writeups are detailed technical analyses, often including PoC code, and are required reading for serious security researchers.

Impact: Before Project Zero, some vendors took 6–12 months to patch reported vulnerabilities. After the 90-day deadline became the standard, Microsoft, Apple, and others significantly improved their average patch times to stay within the window.

Bug Bounty Programmes

Bug bounty programmes are structured responsible disclosure programmes that pay researchers for finding valid vulnerabilities. They provide:

Payout Ranges (2026)

SeverityTypical RangeMax payouts (top programmes)
Critical (RCE, auth bypass)$10,000–$100,000$1,000,000+ (Google, Apple)
High (privilege escalation, data exfil)$5,000–$30,000$150,000+
Medium (stored XSS, SSRF)$500–$5,000$25,000+
Low (reflected XSS, information disclosure)$100–$500$2,000+

Major Bug Bounty Platforms

Many major technology companies run their own in-house programmes directly: Google, Microsoft, Apple, Meta, and Amazon all accept vulnerability reports through their own PSIRT portals.

Security research occupies legally complex territory. In many jurisdictions, testing systems without permission violates computer crime laws (the US Computer Fraud and Abuse Act, UK Computer Misuse Act, EU Directive on attacks against information systems).

Bug bounty programmes address this by providing legal safe harbour — a written commitment from the vendor not to pursue legal action against researchers who follow the programme rules. This is a critical protection that researchers should always verify before testing.

Key legal principles for researchers:

Frequently Asked Questions

What is responsible disclosure?
Responsible disclosure (also called coordinated disclosure) is the practice of privately reporting a security vulnerability to the affected vendor before making it public. This gives the vendor time to develop and release a patch before attackers can exploit the vulnerability.
How long do researchers give vendors to fix a vulnerability?
The standard timeline is 90 days, established by Google Project Zero. Microsoft, CERT/CC, and most bug bounty platforms use 90 days as the default, sometimes with a 14-day extension for complex issues.
What is the difference between responsible disclosure and full disclosure?
Responsible (coordinated) disclosure means reporting privately to the vendor first and only going public after a patch is available. Full disclosure means publishing all vulnerability details immediately, without giving the vendor advance notice.
What is a bug bounty programme?
A bug bounty programme is a structured incentive scheme where organisations pay security researchers to find and responsibly disclose vulnerabilities. Payouts range from a few hundred dollars for low-severity issues to over $1 million for critical zero-days on major platforms.
Can I get in legal trouble for reporting a vulnerability?
Potentially, yes — computer crime laws in many countries criminalise unauthorised access. Bug bounty programmes with legal safe harbour provisions protect researchers who follow the programme rules. Always test only in-scope systems, never access real user data, and read the programme's safe harbour clause before testing.