← Back to glossary

Responsible Vulnerability Disclosure

General Intermediate

debt(d5/e1/b3/t7)

d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list securitytxt.org and owasp-zap as tools — these are specialist/opt-in scanners rather than default linters or compilers. The absence of a security.txt or disclosure policy is not flagged by default tooling; you need to deliberately run a check or audit.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix is explicit: add a security.txt file at /.well-known/security.txt with contact, policy URL, and timeline. This is a single file addition — minimal effort to remediate the missing disclosure policy.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The choice applies_to web contexts and primarily affects one operational concern (how researchers contact you). Once a security.txt and policy are in place, the ongoing maintenance burden is low and localised — it doesn't shape every future development decision, but teams must keep the contact and policy current.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states that developers believe 'publicly disclosing a vulnerability immediately puts pressure on vendors to fix it faster,' when in reality immediate public disclosure before a fix is available puts all users at risk. This directly contradicts widely-held intuitions about transparency and accountability, making it a serious cognitive trap that contradicts how similar openness principles work in other contexts.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

responsible disclosure coordinated disclosure CVE disclosure

TL;DR

The practice of privately reporting security vulnerabilities to vendors before publishing, allowing time for a fix.

Explanation

Responsible (coordinated) vulnerability disclosure balances the public's right to know about vulnerabilities with the vendor's need for time to fix them. A researcher discovers a vulnerability, privately reports it to the vendor with a technical description, agrees on a disclosure timeline (typically 90 days, e.g., Google Project Zero's policy), and publishes a CVE after the fix is released. For PHP projects, provide a SECURITY.md file with a private reporting channel (security@domain.com), acknowledge reports within 48 hours, and maintain a CVE assignment process.

Common Misconception

✗ Publicly disclosing a vulnerability immediately puts pressure on vendors to fix it faster. Immediate public disclosure before a fix is available puts all users at risk. Responsible disclosure gives vendors a reasonable window (typically 90 days) to patch before details are made public.

Why It Matters

A clear vulnerability disclosure policy tells researchers how to safely report findings — without one, researchers may disclose publicly, contact the wrong people, or give up and leave the vulnerability unreported.

Common Mistakes

No security.txt or disclosure email — researchers cannot find a contact and publish instead.
Legal threats to researchers reporting in good faith — destroys trust and deters future reports.
No acknowledgement within 24-48 hours — researchers assume the report was missed.
No timeline commitment — researchers cannot plan responsible disclosure without a fix timeline.

Code Examples

✗ Vulnerable

# Missing security.txt — no disclosure channel:
# GET /.well-known/security.txt → 404
# Researcher finds SQL injection, has nowhere to report
# Options: disclose publicly, sell to broker, or give up
# All worse than a working disclosure channel

# Correct /security.txt:
# Contact: security@example.com
# Expires: 2027-01-01T00:00:00z
# Preferred-Languages: en

✓ Fixed

# Responsible Disclosure — security.txt (RFC 9116)
# Place at https://yourapp.com/.well-known/security.txt

Contact:   security@yourapp.com
Expires:   2025-12-31T00:00:00.000Z
Encryption: https://yourapp.com/pgp-key.txt
Preferred-Languages: en
Policy:    https://yourapp.com/security-policy

# Response process:
# 1. Acknowledge receipt within 48 hours
# 2. Confirm vulnerability within 5 business days
# 3. Target fix: critical = 7 days, high = 30 days, medium = 90 days
# 4. Coordinate disclosure date with reporter
# 5. Credit reporter in changelog/CVE (if they want)
# 6. Publish CVE if CVSS >= 4.0

# Do NOT: ignore reports, threaten legal action against good-faith researchers

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 46 Amazonbot 17 Scrapy 13 Google 6 Ahrefs 4 ChatGPT 3 Unknown AI 2 Claude 1 Meta AI 1 Bing 1 Sogou 1 PetalBot 1

Also referenced

Incident Response 66 CWE 51 CVSS 48 Penetration Testing 48

How they use it

crawler 93 crawler_json 3

Related categories

security 7.9k general 3k devops 2.2k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Add a security.txt file at /.well-known/security.txt with your security contact, policy URL, and preferred disclosure timeline — it's the standard way security researchers contact you

📦 Applies To

any web

🔗 Prerequisites

Bug Bounty Programme Security by Design Zero-Day Vulnerability

🔍 Detection Hints

No security.txt; no responsible disclosure policy; security contact buried or missing; researchers unable to report vulnerabilities

Auto-detectable: ✓ Yes securitytxt.org owasp-zap

⚠ Related Problems