Vulnerability Disclosure Policies and Coordinated Disclosure
Vulnerability disclosure policies (VDPs) and coordinated disclosure frameworks govern how security researchers, organizations, and government agencies communicate about newly discovered software and hardware vulnerabilities. This reference covers the structural components of VDPs, the coordinated disclosure process, the regulatory and standards landscape that shapes these policies in the United States, and the decision boundaries that distinguish disclosure approaches from one another. The subject carries direct operational significance for any organization that develops, procures, or operates digital systems — particularly those subject to federal oversight or US cybersecurity regulations and compliance.
Definition and scope
A vulnerability disclosure policy is a formal, published statement by an organization that defines how external parties — typically independent security researchers — may report discovered vulnerabilities and what the organization will do in response. The Cybersecurity and Infrastructure Security Agency (CISA) defines a VDP as a commitment that establishes legal safe harbor for good-faith researchers, a defined communication channel, and a documented general timeframe (CISA Vulnerability Disclosure Policy Guidance).
The scope of VDPs covers three primary categories:
- Organizational VDPs: Published by private companies or public institutions for their own products and services.
- Federal agency VDPs: Required under Binding Operational Directive 20-01, issued by CISA in 2020, which mandated that all civilian federal executive branch agencies develop and publish VDPs. The directive set a hard deadline of March 1, 2021 for publishing a policy and September 2, 2022 for expanding scope to all internet-accessible systems.
- Coordinated vulnerability disclosure (CVD) frameworks: Structured multi-party processes documented by the National Institute of Standards and Technology (NIST) in NIST SP 800-216 and by the Forum of Incident Response and Security Teams (FIRST) in its CVD Guide.
The Common Vulnerabilities and Exposures (CVE) program, maintained by MITRE under contract with CISA, assigns standardized identifiers to disclosed vulnerabilities — providing the public reference infrastructure around which disclosure activity is organized.
How it works
The coordinated disclosure process follows a defined sequence that balances researcher rights, vendor general timeframes, and public safety. NIST SP 800-216 outlines the following operational phases:
- Discovery: A researcher identifies a vulnerability in a system, product, or service.
- Reporting: The researcher submits a report through the organization's designated disclosure channel — typically a web form, email alias, or bug bounty platform — as defined in the VDP.
- Triage: The receiving organization acknowledges receipt (typically within 1–7 days under most published policies), validates the vulnerability, and assigns severity using a scoring standard such as the Common Vulnerability Scoring System (CVSS), maintained by FIRST.
- Remediation: The organization develops a patch or mitigation. The remediation window varies by severity; the U.S. Government's Known Exploited Vulnerabilities (KEV) catalog, managed by CISA, specifies remediation deadlines for federal agencies — ranging from 2 weeks to 6 months depending on exploitation status (CISA KEV Catalog).
- Disclosure: After remediation or at an agreed deadline, the vulnerability details are published. This may include a CVE entry, a vendor advisory, or a joint advisory from CISA and sector-specific agencies.
- Post-disclosure review: The researcher may publish independent findings; the organization closes the ticket and updates affected assets.
The coordinated model contrasts with full (immediate) disclosure — where a researcher publishes without notifying the vendor — and non-disclosure — where findings are shared only with affected vendors or government bodies and withheld indefinitely from the public. FIRST's CVD Guide identifies coordinated disclosure as the professional standard because it reduces the window of exploitation while still ensuring public transparency.
Common scenarios
Bug bounty programs: Organizations contract with platforms such as HackerOne or Bugcrowd to administer researcher submissions, triage, and rewards. The Department of Defense's "Hack the Pentagon" program, launched in 2016, was the first federally administered bug bounty and resulted in the identification of over 100 valid vulnerabilities in its initial run (U.S. Department of Defense, Defense Digital Service).
Multi-party coordinated disclosure (MPCVD): When a vulnerability affects components used across an entire industry — as with Log4Shell (CVE-2021-44228) — the coordinating party (often CERT/CC at Carnegie Mellon University or CISA) must simultaneously notify dozens of downstream vendors before public release. FIRST's MPCVD guidance addresses the sequencing and timing challenges specific to these scenarios.
Critical infrastructure disclosure: Organizations operating systems covered by critical infrastructure protection standards face additional obligations. Sector-specific agencies — such as the Department of Energy for the energy sector and the Department of Health and Human Services for healthcare — may require parallel notification under sector-specific frameworks. The cybersecurity incident reporting requirements framework intersects directly with disclosure obligations when a vulnerability is actively exploited before a patch exists.
Government contractor disclosure: Contractors operating under federal frameworks — including those subject to CMMC compliance — must align their VDPs with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which governs reporting of cyber incidents affecting covered defense information.
Decision boundaries
The principal classification decision in disclosure practice is the choice among the three disclosure models:
| Model | Vendor Notified Before Public? | Public Disclosure Timing | Primary Risk |
|---|---|---|---|
| Coordinated (CVD) | Yes | After patch or deadline | Vendor non-responsiveness |
| Full/Immediate | No | Immediate | Active exploitation window |
| Non-disclosure | Yes | Indefinitely withheld | Parallel discovery; no public protection |
A secondary decision boundary concerns disclosure deadlines. Google Project Zero standardized a 90-day disclosure window in 2014, with a 14-day grace period for patches in active deployment — a benchmark that has influenced industry practice broadly. CISA's BOD 20-01 uses different timelines for federal systems, tied to asset criticality rather than a fixed calendar window.
Organizations must also determine whether a discovered vulnerability qualifies as a reportable cyber incident under statutes such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which directs CISA to establish mandatory reporting rules. Coordination between disclosure timelines and cybersecurity incident reporting requirements is an active area of regulatory development.
The NIST Cybersecurity Framework addresses vulnerability management within its "Identify" and "Respond" function categories, providing organizations with a structured basis for integrating VDP obligations into broader risk governance. FIRST's CVSS v3.1 scoring standard provides a numeric severity basis (0.0–10.0) for prioritizing general timeframes once a vulnerability is received and triaged.
References
- CISA Vulnerability Disclosure Policy Guidance
- CISA Binding Operational Directive 20-01
- CISA Known Exploited Vulnerabilities Catalog
- NIST SP 800-216: Recommendations for Federal Vulnerability Disclosure Guidelines
- NIST Cybersecurity Framework
- FIRST CVD Guide (Forum of Incident Response and Security Teams)
- FIRST CVSS v3.1 Specification
- MITRE CVE Program
- CERT/CC Coordinated Vulnerability Disclosure — Carnegie Mellon University Software Engineering Institute
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
- DFARS 252.204-7012 — Defense Federal Acquisition Regulation Supplement