Practice vocabulary for responsible disclosure: reporting vulnerabilities, following disclosure protocols, coordinating timelines, and public disclosure.
0 / 5 completed
1 / 5
When a security researcher contacts a vendor about a weakness they found, they would typically open with:
I've discovered a potential security vulnerability in your product — the word 'potential' is important; it's professional and non-accusatory.
2 / 5
When a researcher conducts their disclosure process according to established security community norms, they say they are:
Following responsible disclosure protocols signals professionalism — it means you notified the vendor privately before going public.
3 / 5
The standard window of time researchers give vendors to fix a vulnerability before publishing it publicly is called:
The 90-day disclosure timeline is the industry standard (established by Google Project Zero) — it balances vendor remediation time with public safety.
4 / 5
When a researcher asks the vendor to agree on when a fix will be released before publishing details, they say:
I'd like to coordinate on a remediation timeline — this collaborative phrasing keeps the relationship professional during the disclosure process.
5 / 5
When a vendor has not responded or fixed the issue and the researcher's deadline has passed, the researcher announces:
I'm disclosing publicly as the deadline has passed — this is the standard professional phrasing for publishing after the agreed deadline expires.