Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
A vulnerability disclosure is a policy practiced by organizations as well individuals regarding the disclosure or publishing of information regarding security vulnerabilities and exploits pertaining to a computer system, network or software. This is due to the fact that ethical hackers and computer security experts believe that it is their social responsibility to make the general public aware of vulnerabilities that might impact them, otherwise the silence might lead to a false feeling of security and cause people to be complacent, leading to further risks.
Vulnerability disclosure is also known as full disclosure of vulnerabilities or simply full disclosure.
Vulnerability disclosure is the practice of publishing the details of a security vulnerability to the general public for scrutiny and to force software and hardware vendors to patch these issues quickly. Before vulnerability disclosures, software and hardware vendors relied on the security of secrecy, which is to say they hoped that whatever vulnerabilities they had would not be discovered and exploited by hackers. However, hackers have proven time and time again that if a vulnerability exists, they most likely will discover it sooner or later.
Before vulnerability disclosure became a common practice, security researchers that would report vulnerabilities that they found were often ignored, and some even threatened with lawsuits if the vulnerabilities became known. Some companies even treated these vulnerabilities as "theoretical" until a resourceful hacker found and exploited them, at which time the company would have to quickly develop a patch and then apologize profusely to their customers. That is why a group of companies and security researchers came together to form "responsibility disclosure," which relied on the threat of publishing the vulnerability to make the company in question do something about it.
The process for a vulnerability disclosure starts when a vulnerability is discovered in a computer or hardware system. The person who discovered it informs the company with details of the vulnerability so that they can take action. After 45 days, whether the company has released a patch or not, the vulnerability is publicly disclosed.