Coordinated Vulnerability Disclosure

Coordinated disclosure is the practice of reporting a vulnerability privately to the vendor, agreeing a fix timeline, and publishing details only after a patch is available.

Definition

Coordinated Vulnerability Disclosure (CVD) — historically called "responsible disclosure" — is the convention by which a security researcher reports a vulnerability privately to the affected vendor, coordinates a fix timeline, and publishes the technical details only after the patch is publicly available (or after a deadline has passed if the vendor stalls). The process is the norm in the modern industry and is endorsed by ISO/IEC 29147, CERT/CC, and most vendor security teams.

The opposite of CVD is "full disclosure" — immediate public posting — which is still occasionally practiced when a researcher believes a vendor is acting in bad faith. The middle ground is a fixed deadline (Project Zero's 90+30 day policy is the most-cited example).

Mitigation

Not applicable.

See also

References