By David Buchanan on 11th May 2025:

• “Responsible” is a loaded term yet vague and non-specific.
• What’s responsible in a situation depends on vulnerability, vendors, and other stakeholders.
• “Coordinated Disclosure” is more neutral but still vague.
• When saying “responsible disclosure”, the follow-up should be “responsible to whom?”.
• “Coordinated disclosure” just replaces the question with “in coordination with whom?”.
• Prefers terms like “vendor-coordinated disclosure”, “maintainer-coordinated disclosure”, or “user-coordinated disclosure” (not mutually exclusive).
• User-coordinated disclosure may be a new name; consider a security researcher’s hypothetical announcement.
• In vendor-coordinated disclosure, a common thing is to include a deadline for full disclosure (between ~7 and ~180 days, no consensus on optimal).
• Disclosure policy and decision-making are nuanced; if someone uses “responsible disclosure”, ask for more specificity.