Vulnerability disclosure is the process by which security researchers report discovered vulnerabilities to affected vendors or the public. Responsible disclosure involves privately notifying the vendor first, giving them a defined time period to develop a patch before details are made public.
Some organizations run formal bug bounty programs that pay researchers for responsibly disclosed vulnerabilities. Full immediate public disclosure without vendor notification is controversial because it arms attackers with exploit information before defenses exist.
CISSP Relevance
Vulnerability disclosure sits at the intersection of Domain 6 (Security Assessment and Testing) and Domain 1 (Security and Risk Management). CISSP candidates must understand disclosure frameworks, the legal implications of vulnerability research, and how organizations should respond to externally reported vulnerabilities.
External reference: CISA Coordinated Vulnerability Disclosure Process
Related terms: Vulnerability Assessment, Penetration Testing