® 
Responsible Disclosure
Definition
Responsible disclosure is the process where a security researcher reports a found vulnerability to the affected organization so it can be fixed before public disclosure.
Responsible disclosure (coordinated vulnerability disclosure) is the process where a security researcher responsibly reports a discovered vulnerability to the affected organisation so it can be fixed before public disclosure and exploitation by malicious actors.
How does responsible disclosure work?
The process follows four steps: the researcher discovers a vulnerability, informs the affected organisation via the security contact or VDP, gives a reasonable remediation period (typically 90 days, per Google Project Zero standard), and then publicly discloses the vulnerability. During remediation, the researcher does not publish exploitable details.
Vulnerability Disclosure Policy (VDP)
Organisations publish a VDP describing how researchers can report vulnerabilities, which systems are in scope, what rules apply and what legal protection the organisation provides. The CRA requires manufacturers of digital products to implement vulnerability handling processes.
Impact on organisations
Organisations without a VDP miss valuable vulnerability reports: researchers who find no safe reporting channel may choose full disclosure or not report at all. A good responsible disclosure process improves security at minimal cost.
Protection
Publish a VDP on the website (security.txt). Designate an internal team for handling reports. Communicate transparently with researchers. Resolve reported vulnerabilities promptly. Consider a bug bounty programme.
How DEFION helps
DEFION advises on establishing responsible disclosure policies and VDPs. The team assists in handling received vulnerability reports and can validate reported vulnerabilities.