...
- No Disclosure – When a vulnerability is found, all information about the vulnerability is kept private. Sometimes this is enforced by non-disclosure agreements (NDAs). Vendors sometimes prefer this scenario.
- Full Disclosure – When a vulnerability is found by a reporter, all information about the vulnerability including proof of concept should be disclosed immediately. The vendor is typically not informed prior to disclosure, or at least has a very small window (typically < 1 day) to act. Alternately, this type of disclosure may also be performed by the vendor themselves; many open source projects, for example, handle security issues in the open in order to maximize review of the vulnerability and proposed solution.
- "Responsible" Disclosure – When a vulnerability is found by a reporter, the reporter informs the vendor that the information will be disclosed in a set timeline. The vendor is typically expected to adapt to the schedule imposed by the reporter. The disclosure may or may not be Full Disclosure after the timeline has expired.
- Coordinated Disclosure – When a vulnerability is found by a reporter, the reporter informs the vendor of the vulnerability and suggests a timeline for disclosure. The reporter and vendor negotiate and coordinate (sometimes through a 3rd party such as the CERT/CC) on the timeline, and disclose information on the vulnerability jointly at an agreed upon time. Typically, the disclosure refrains from critical details like the proof of concept in order to slow down reverse engineering and exploit of the vulnerability. If a timeline cannot be agreed upon, this disclosure scenario may turn into Full Disclosure.
The CERT/CC believes the coordinated disclosure Coordinated Disclosure process is the best balance of these competing interests. The public and especially users of the vulnerable component deserve to know issues with their products and how the vendor handles said issues, but at the same time, quickly disclosing such information without review and mitigation only opens the public up to exploit. The best scenario is when everyone can coordinate and work together to protect the public.