What is coordinated vulnerability disclosure and how should it work?
Short answer
Coordinated vulnerability disclosure is a process where a researcher reports a flaw privately to the vendor, both sides agree on remediation and a timeline, and details are published only after a fix is available (or an agreed deadline lapses). It balances giving defenders time to patch against the public's right to know. A security.txt file and a clear policy make reporting frictionless; bug bounty programs add structured rewards on top.
Finding a vulnerability is only half the job; getting it fixed without putting users at risk is the other half. Interviewers ask about disclosure to test your ethics and process maturity — a researcher who dumps a zero-day on Twitter is a liability, not an asset.
The spectrum of disclosure
- Full disclosure publishes everything immediately. It pressures vendors but arms attackers before a patch exists.
- Non-disclosure keeps the flaw secret. Defenders never get to fix it, and "security through obscurity" fails the moment someone else finds it.
- Coordinated (responsible) disclosure sits in between and is the professional default: report privately, give time to fix, then publish.
The coordinated process
- Report. The researcher contacts the vendor through a known channel — ideally a published policy and a security.txt file (RFC 9116) advertising a contact and scope.
- Acknowledge and triage. The vendor confirms receipt, reproduces, and assesses severity (often assigning a CVE).
- Remediate. Both parties agree on a fix and a disclosure timeline — commonly around 90 days, adjustable for complexity.
- Coordinate release. Patch ships first; the vendor and researcher then publish advisories, often crediting the reporter.
- Disclose at the deadline regardless. If the vendor stalls, a pre-agreed deadline still triggers publication, so a vendor cannot bury a flaw forever.
Why the deadline exists
The deadline protects users two ways: it stops indefinite vendor inaction, and it acknowledges that others may independently discover the same bug. Time-bounding forces movement while still prioritizing a fix-first outcome.
Bug bounties and safe harbor
Bug bounty programs formalize this with scope, rewards, and — crucially — safe harbor language promising not to pursue legal action against good-faith researchers, which is what makes researchers willing to report at all.
What interviewers look for
They want the coordinated middle ground over full or non-disclosure, the report-fix-publish sequence, awareness of timelines and why deadlines exist, and the practical enablers: security.txt, CVEs, and safe-harbor terms.
Likely follow-ups
- How does coordinated disclosure differ from full disclosure and non-disclosure?
- What is a security.txt file and what should it contain?
- Why do disclosure programs set a deadline even when the vendor is cooperating?