Skip to content

What is coordinated vulnerability disclosure and how should it work?

Short answer

Coordinated vulnerability disclosure is a process where a researcher reports a flaw privately to the vendor, both sides agree on remediation and a timeline, and details are published only after a fix is available (or an agreed deadline lapses). It balances giving defenders time to patch against the public's right to know. A security.txt file and a clear policy make reporting frictionless; bug bounty programs add structured rewards on top.

Finding a vulnerability is only half the job; getting it fixed without putting users at risk is the other half. Interviewers ask about disclosure to test your ethics and process maturity — a researcher who dumps a zero-day on Twitter is a liability, not an asset.

The spectrum of disclosure

  • Full disclosure publishes everything immediately. It pressures vendors but arms attackers before a patch exists.
  • Non-disclosure keeps the flaw secret. Defenders never get to fix it, and "security through obscurity" fails the moment someone else finds it.
  • Coordinated (responsible) disclosure sits in between and is the professional default: report privately, give time to fix, then publish.

The coordinated process

  1. Report. The researcher contacts the vendor through a known channel — ideally a published policy and a security.txt file (RFC 9116) advertising a contact and scope.
  2. Acknowledge and triage. The vendor confirms receipt, reproduces, and assesses severity (often assigning a CVE).
  3. Remediate. Both parties agree on a fix and a disclosure timeline — commonly around 90 days, adjustable for complexity.
  4. Coordinate release. Patch ships first; the vendor and researcher then publish advisories, often crediting the reporter.
  5. Disclose at the deadline regardless. If the vendor stalls, a pre-agreed deadline still triggers publication, so a vendor cannot bury a flaw forever.

Why the deadline exists

The deadline protects users two ways: it stops indefinite vendor inaction, and it acknowledges that others may independently discover the same bug. Time-bounding forces movement while still prioritizing a fix-first outcome.

Bug bounties and safe harbor

Bug bounty programs formalize this with scope, rewards, and — crucially — safe harbor language promising not to pursue legal action against good-faith researchers, which is what makes researchers willing to report at all.

What interviewers look for

They want the coordinated middle ground over full or non-disclosure, the report-fix-publish sequence, awareness of timelines and why deadlines exist, and the practical enablers: security.txt, CVEs, and safe-harbor terms.

Likely follow-ups

  • How does coordinated disclosure differ from full disclosure and non-disclosure?
  • What is a security.txt file and what should it contain?
  • Why do disclosure programs set a deadline even when the vendor is cooperating?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.