Responsible Disclosure

Responsible disclosure is the practice where security researchers report vulnerabilities directly to affected vendors before public release, allowing a remediation window typically of 90 days. The vendor patches the vulnerability and notifies affected users before or coordinated with the researcher's public disclosure.

This practice balances the public's right to know with giving vendors time to protect users, and is formalized in programs by major vendors and coordinated by organizations like CERT/CC.