The Vulnerability Disclosure Debate: Full Disclosure, Responsible Disclosure, and the Bug Bounty Economy

Zusammenfassung

When a security researcher finds a flaw in software that would allow an attacker to compromise a system, what should they do? The question is harder than it appears. Notifying the vendor privately gives the vendor time to patch but also time to ignore; publishing immediately protects the public’s right to know but enables attackers who move faster than defenders. The debate between “full disclosure” and “responsible disclosure” has run since the 1990s through mailing lists, corporate lawsuits, government investigations, and international diplomatic negotiations. It shaped the CVE vulnerability database, the bug bounty industry, Project Zero, and the legal frameworks that govern security research. The answer to “what should you do when you find a bug?” is still contested — but the infrastructure for handling vulnerabilities has become, itself, a multi-billion-dollar industry.

The Pre-History: Security Through Obscurity

Before the disclosure debate existed, the dominant approach was security through obscurity: vulnerabilities were known to vendors, quietly fixed without announcement, and never publicized. The vendor’s incentive was clear — public disclosure of security flaws damaged reputation and stock price. The implicit assumption was that secrecy protected users: if attackers did not know about a vulnerability, they could not exploit it.

The flaw in this model was that attackers and researchers discovered vulnerabilities independently. A vendor’s silence about a flaw in its software did not prevent sophisticated attackers from finding the same flaw; it merely prevented defenders from knowing they were vulnerable. Systems remained unpatched because their administrators did not know patching was necessary.

The academic security community challenged this assumption explicitly. Whitfield Diffie and Martin Hellman’s publication of public-key cryptography in 1976 — against the objections of the NSA, which preferred to keep asymmetric encryption classified — established the principle that security through obscurity was not security. Bruce Schneier’s maxim, codified in his 1996 book Applied Cryptography, was that “security designs should be published for public review.” If a cryptographic system’s security depended on the secrecy of its design rather than the secrecy of its keys, it was not secure.

Bugtraq and Full Disclosure

The full disclosure movement emerged from the early internet security community in the early 1990s. The principle: when a researcher finds a vulnerability, they should publish the technical details publicly, immediately, allowing users to assess their risk, vendors to fix the flaw, and the security community to develop defensive tools.

Bugtraq, a mailing list founded in 1993 by Scott Chasin, became the central venue for full disclosure. Researchers posted detailed vulnerability reports including proof-of-concept exploit code; vendor responses were public; users could read the entire discussion. Bugtraq’s premise was that vulnerability information should be available to everyone, not just to vendors who had commercial incentives to minimize the problem.

The practical effect was chaotic. Vendors had no consistent process for receiving vulnerability reports, no timelines for responding, and no public commitment to patching. Some vendors responded quickly and professionally; others sent legal threats. The Computer Emergency Response Team (CERT/CC), established at Carnegie Mellon after the Morris Worm of 1988, attempted to coordinate between researchers and vendors — but without standardized processes, coordination was ad hoc and inconsistent.

The CVE System and Standardized Naming

Common Vulnerabilities and Exposures (CVE) was created by MITRE in 1999 as a dictionary of vulnerabilities with standardized identifiers. A vulnerability assigned CVE-1999-0001 was the same flaw regardless of which vendor’s advisory, researcher’s paper, or security scanner referenced it. CVE names provided a common language across the fragmented security ecosystem.

The CVE database became the reference standard for security advisories, patch management systems, and vulnerability scanners. A CVE identifier allowed a system administrator to know whether a vulnerability they had read about in one source was the same as the one referenced in their vendor’s patch note. By 2024, the CVE database contained over 200,000 entries, with approximately 25,000 new vulnerabilities added annually.

The NVD and CVSS Scoring

The National Vulnerability Database (NVD), maintained by NIST, extended CVE entries with CVSS (Common Vulnerability Scoring System) scores — numerical ratings from 0 to 10 indicating severity. A CVSS score above 9.0 is “Critical”; exploits for such vulnerabilities must be patched urgently. CVSS scores became the standard metric for vulnerability prioritization in enterprise security programs, though critics noted that CVSS scores rated theoretical severity rather than actual exploitability — a 9.8-rated vulnerability that required physical access to exploit demanded a different response than a 9.8-rated vulnerability exploitable remotely without authentication.

Responsible Disclosure and the 90-Day Standard

The tension between full and silent disclosure was partially resolved by the responsible disclosure model, formalized in the early 2000s. Under responsible disclosure:

The researcher notifies the vendor privately.
The vendor has a fixed time period (typically 45–90 days) to develop and release a patch.
After the deadline, the researcher publishes regardless of whether the vendor has patched.

The deadline was the innovation. Previous “coordinated disclosure” had no enforcement mechanism; vendors could delay indefinitely, leaving users vulnerable without ever knowing it. The deadline gave vendors a genuine incentive to fix vulnerabilities promptly: either patch before the deadline or face public disclosure.

Google’s Project Zero, established in 2014, became the most prominent practitioner of the 90-day model. Project Zero employed full-time security researchers whose sole job was finding vulnerabilities in software across the industry — not just Google products. Vulnerabilities found by Project Zero were reported to vendors with a 90-day deadline; after 90 days, the report was published whether or not a patch existed.

Project Zero’s approach attracted criticism from vendors who found the 90-day deadline insufficient for complex vulnerabilities requiring significant architectural changes. The team introduced a 14-day grace period for patches already in process. It attracted more criticism when it published vulnerabilities in Microsoft Windows and Apple iOS whose patches had not yet been deployed to all users. Project Zero’s counterargument: an unpatched vulnerability known to the vendor is known to sophisticated attackers too; users benefit from knowing their systems are vulnerable even before a patch exists, because they can take compensating measures.

The Bug Bounty Economy

The commercial resolution of the disclosure debate was the bug bounty program: vendors paying researchers for responsible disclosure of vulnerabilities rather than threatening them with lawsuits for unauthorized access.

Netscape launched the first significant corporate bug bounty in 1995, offering $1,000 for bugs in Netscape Navigator 2.0. The concept was small-scale until Google launched its Vulnerability Rewards Program in 2010, followed by Facebook in 2011. The programs established that finding vulnerabilities in commercial software was legitimate, valuable work that vendors would pay for.

HackerOne (2012) and Bugcrowd (2012) built platforms that connected security researchers with vendors running bug bounty programs, standardizing the process: researchers submitted reports through the platform, vendors triaged and rewarded them, and both parties maintained records of the interaction. By 2023, HackerOne had paid over $300 million in bounties to researchers; individual researchers earned millions of dollars annually.

The highest bounties reflected the economic value of keeping certain vulnerabilities secret or found-first by defenders. Apple’s Security Research Device Program offered up to $1 million for a zero-click, full-chain kernel code execution exploit on iOS. Zerodium, a private broker, offered $2.5 million for the same capability — to sell to government customers rather than to Apple. The commercial market for unreported, weaponizable vulnerabilities (zero-days) paid far more than bug bounty programs.

Zero-Days and the Surveillance Industry

The zero-day market — the trade in unreported vulnerabilities — operated in parallel with the responsible disclosure ecosystem. Intelligence agencies, law enforcement, and private surveillance companies purchased zero-day exploits for use in targeted surveillance operations.

NSO Group (Israel, founded 2010) developed the Pegasus spyware using zero-day iOS and Android exploits, selling to government customers for targeted surveillance. Pegasus was found on the phones of journalists, human rights activists, and heads of state across multiple countries, documented by the Citizen Lab at the University of Toronto. NSO Group maintained its software was sold only to legitimate government customers for lawful surveillance. The evidence suggested otherwise.

The Vault 7 leak (WikiLeaks, 2017) published the CIA’s hacking tools, including zero-day exploits for iOS, Android, and Windows. Like the NSA’s EternalBlue (which became WannaCry), the CIA tools demonstrated that government-held zero-days could be stolen and repurposed — that the agencies stockpiling vulnerabilities for offensive use were also the agencies responsible for defending the same systems.

The US Government’s Vulnerabilities Equities Process (VEP) — the interagency process for deciding whether a discovered vulnerability should be disclosed to the vendor or retained for intelligence use — has been described in broad terms but remains largely classified. The criteria for retaining versus disclosing are not public. NSA Director Michael Rogers acknowledged in 2017 that “the overwhelming majority” of vulnerabilities the NSA finds are disclosed to vendors — but declined to quantify what “overwhelming majority” meant in practice.

Dead End: The Coordination Failure

The structural problem that both full disclosure and responsible disclosure attempt to solve is a coordination failure: software vendors have an economic incentive to underinvest in security and to minimize the visibility of flaws; security researchers have an economic incentive to maximize the value of what they find; users have an interest in both knowing about vulnerabilities and having them patched; and attackers have an interest in exploiting the window between discovery and patching.

No disclosure framework fully resolves this tension. Responsible disclosure with deadlines works when vendors take security seriously, have adequate engineering resources, and treat researchers as partners rather than threats. It fails when vendors are slow, incompetent, or hostile. Full disclosure creates urgency but also creates exploit-ready information that defenders cannot act on before attackers do.

The bug bounty economy has improved the baseline — vendors now have financial incentives to attract and reward researchers rather than sue them — but has also created a two-tier market where the most valuable vulnerabilities go to the highest-paying buyer, which is often not the vendor whose software is affected. The zero-day market is not going away; the question is whether its operation can be structured to benefit defense more than offense.