Stop Saying "Responsible Disclosure"

By David Buchanan, 11^th May 2025

It's a loaded term, while somehow also managing to be vague and non-specific.

The "responsible" thing to do in any given situation can vary wildly, depending on the nature of the vulnerability, the nature of the vendor(s), and other stakeholders involved.

"Coordinated Disclosure" is a more neutral term (which is probably why it's the title of the relevant Wikipedia article), but it's still too vague.

When someone says "responsible disclosure", the immediate follow-up question should be: "responsible to whom?"

Saying "coordinated disclosure" is better but it doesn't answer the question, it just replaces it with a new one: "in coordination with whom?"

I prefer to say something like "vendor-coordinated disclosure", "maintainer-coordinated disclosure", or even "user-coordinated disclosure" (and they're not mutually exclusive!)

User-coordinated disclosure might sound like a new concept. It's not, although I might be the first to give it a name. Consider a hypothetical announcement made by a security researcher:

"If you want to run homebrew software on $game_console, don't update it beyond version 1.2.3 and keep it offline! More details coming soon."

We can get more specific, too. When engaging with vendor-coordinated disclosure, it's common to include a deadline for full disclosure (which could be anywhere between ~7 and ~180 days - nobody can agree on what's optimal). So you could say "vendor-coordinated disclosure with 90-day deadline".

That's a bit of a mouthful, but let's not pretend that disclosure policy and decision-making isn't nuanced.

If someone uses the term "responsible disclosure", ask them to be more specific.