Mistakes are human—and software development is no exception. A simple typo or an overlooked edge case in the code can have far-reaching consequences, potentially introducing security vulnerabilities that attackers may exploit. Closing these gaps requires a structured and efficient approach. This is precisely where the concept of Responsible Disclosure comes into play.
At CERTAINITY, we view Responsible Disclosure as an important contribution to the cybersecurity community, helping to build a safer and more resilient digital society.
What Is Responsible Disclosure?
Responsible Disclosure refers to the responsible handling and publication of security vulnerabilities. The core principle is that security researchers first report discovered vulnerabilities to the affected vendor or organization before making any technical details public.
This gives vendors the opportunity to develop and distribute a fix before attackers can exploit the vulnerability.
Publishing the vulnerability after it has been remediated remains an essential part of the process. It promotes transparency, informs users about potential security issues, and provides clear guidance on how affected systems can be protected—for example through software updates or configuration changes.
CERTAINITY’s Approach
At CERTAINITY, vulnerabilities discovered in software developed by our direct customers are typically covered by a Non-Disclosure Agreement (NDA). In these cases, our customers decide how much information about identified vulnerabilities should ultimately be disclosed.
However, very few organizations rely exclusively on self-developed software. During our engagements, we frequently identify vulnerabilities in third-party products that our customers cannot fix themselves. In these situations, our Responsible Disclosure process applies.
Our Responsible Disclosure Policy defines how CERTAINITY consultants responsibly report vulnerabilities in third-party software and describes our internal disclosure workflow.
The process can be summarized as follows:
Analysis: Our security experts identify a vulnerability and assess its severity.
Notification / Initial Contact: The vulnerability details, including sufficient technical information to reproduce the issue, are securely communicated to the affected vendor or organization. A remediation deadline is agreed upon. CERTAINITY aims to provide vendors with sufficient time to develop a fix while ensuring that affected users receive a timely solution.
Remediation: Ideally, the vendor develops and releases an appropriate fix within the agreed timeframe. Our consultants actively support this process and verify that the implemented solution successfully mitigates the vulnerability.
Publication: Once the vulnerability has been remediated—or after the agreed disclosure deadline has expired—the advisory is published to inform the public about the security issue and its remediation. Our advisories follow a structured format including affected software identifiers, version information, severity assessments, CVE identifiers (where applicable), and a detailed disclosure timeline, enabling readers to quickly determine whether they are affected.
Through this approach, we build trust among all stakeholders while contributing to the sustainable remediation of security vulnerabilities.
Examples from Practice
Over the years, CERTAINITY has responsibly disclosed and helped remediate numerous vulnerabilities. Some notable examples include:
- Multiple Vulnerabilities in Web Level Control (WLC) Application
- Clock Fault Injection on Mocor OS – Password Bypass
- Multiple Vulnerabilities in NetModule Routers
Challenges and Best Practices
Implementing a Responsible Disclosure process is not always straightforward. Common challenges include:
Communication: Organizations do not always respond promptly to vulnerability reports. Missing or unclear security contact information often delays the disclosure process.
Lack of Understanding: Not every organization immediately recognizes the severity of a reported vulnerability or fully understands its potential impact.
Prioritization and Resources: Vendors and software developers must allocate sufficient resources to investigate and remediate reported vulnerabilities.
Based on our experience, transparency, clearly defined processes, and mutual respect are the key ingredients for successful Responsible Disclosure.
We recommend the following best practices:
Clear Documentation: Publishing a Responsible Disclosure Policy builds trust and provides guidance for everyone involved. Many organizations also participate in bug bounty programs or follow the security.txt standard, which specifies that security contact information should be published under
/.well-known/security.txt.Timely Communication: Fast responses demonstrate that reported vulnerabilities are taken seriously. Publicly committing to response timelines through a published disclosure policy further strengthens trust.
Collaboration: Security researchers and vendors should work together to resolve vulnerabilities effectively. Where appropriate, CERTAINITY can also support organizations with additional security services to further improve their overall security posture.
Conclusion
Organizations that manage security vulnerabilities transparently and through structured processes not only strengthen the security of their own products but also contribute to improving cybersecurity across the entire industry.
As software ecosystems become increasingly complex — with growing dependencies on open-source software, third-party frameworks, and evolving regulatory requirements such as NIS2 and the Cyber Resilience Act (CRA) — a well-defined Responsible Disclosure process is becoming indispensable.
Software vendors that embrace transparency, collaboration, and structured vulnerability management build trust, reduce risk, and improve long-term resilience.
CERTAINITY actively supports this mission through dedicated security research, structured Responsible Disclosure processes, and close collaboration with software vendors, security researchers, and the broader cybersecurity community.
