Coordinated vulnerability disclosure

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor. == Managed vulnerability disclosure ==

In addition to internally operated vulnerability disclosure programs, some organizations rely on managed vulnerability disclosure services provided by third-party security vendors. In this model, an external provider operates and maintains the vulnerability reporting channel on behalf of the organization, performs initial triage and validation of incoming reports, and coordinates communication between reporters and the affected organization. Managed approaches are typically used by organizations that lack dedicated internal security resources or that receive a high volume of vulnerability submissions. Managed vulnerability disclosure services generally align with established coordinated disclosure frameworks, such as those published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA), and are commonly designed to support standards including ISO/IEC 29147 and ISO/IEC 30111. Industry guidance describes these services as a way to improve responsiveness, reduce legal risk for researchers through safe-harbor language, and ensure consistent handling of vulnerability reports, while maintaining the organization’s responsibility for remediation and final disclosure decisions. Several commercial vulnerability management and bug bounty platforms offer managed disclosure as part of broader security testing or vulnerability coordination services, like Hackrate, who also participate directly in vulnerability identification by acting as CVE Numbering Authorities (CNAs), enabling them to assign CVE identifiers as part of the coordinated disclosure process. ==Examples==

Selected security vulnerabilities resolved by applying coordinated disclosure: • MD5 collision attack that shows how to create false CA certificates, 1 week • Starbucks gift card double-spending/race condition that allowed producing fraudulent extra credits, 10 days (Egor Homakov) • Dan Kaminsky discovery of DNS cache poisoning, 5 months • MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months • Radboud University Nijmegen breaks the security of the MIFARE Classic cards, 6 months • The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors, 7 months. • The Spectre vulnerability, hardware vulnerability with implementations of branch prediction affecting modern microprocessors with speculative execution, allowing malicious processes access to the mapped memory contents of other programs, 7 months. ==See also==