Stop Saying "Responsible Disclosure"
a year ago
- #disclosure
- #security
- #terminology
- The term 'responsible disclosure' is vague and non-specific, as what is 'responsible' can vary widely depending on the situation.
- 'Coordinated Disclosure' is a more neutral term but still lacks specificity, prompting questions like 'in coordination with whom?'
- More precise alternatives include 'vendor-coordinated disclosure', 'maintainer-coordinated disclosure', or 'user-coordinated disclosure', which clarify who is involved in the process.
- User-coordinated disclosure is not a new concept but may be newly named, as seen in examples where researchers warn users about vulnerabilities.
- Specificity can be increased further, such as by including deadlines (e.g., 'vendor-coordinated disclosure with 90-day deadline').
- Disclosure policies are nuanced, and vague terms like 'responsible disclosure' should be challenged for greater clarity.