loading
Loading content
loading
Also known as coordinated disclosure
Responsible disclosure sets the process a researcher follows after finding a flaw: report it privately to the vendor or maintainer, agree on a timeline, and hold public details until a fix ships or the window closes. Most programs settle on a fixed period (90 days is common, popularized by Google's Project Zero), after which the researcher may publish regardless, which keeps vendors from sitting on a report indefinitely.
The model matters because the alternatives both fail users. Full immediate disclosure hands a working bug to attackers before a patch exists. Silence leaves the flaw live and rewards no one. Coordinated timing gives defenders a chance to remediate while still crediting the researcher and pushing the vendor to act.
A clean report pairs well with a proof of concept so the vendor can reproduce the issue fast. Many findings flow through a bug bounty program with disclosure terms baked in, and a confirmed fix usually earns a CVE. When a vendor ignores a report and an attacker exploits the flaw first, it becomes a zero-day.
In a Trickest workflow the discovery side produces the evidence and PoC; the disclosure step stays a human decision, governed by the program's policy and the agreed timeline.
Related terms