Disclosure Timeline

A disclosure timeline defines the coordinated period between a vulnerability being privately reported and it being made public. It balances two legitimate interests: the manufacturer's need for time to develop and deploy a fix, and the public's right to know about security risks so they can make informed decisions. The most widely adopted industry standard is 90 days from the vendor's receipt of a valid, reproducible report. This convention was popularised by Google Project Zero and has been endorsed by ENISA and most major vulnerability research programmes. The timeline starts when the manufacturer acknowledges receipt of a reproducible report — not when the researcher first contacts them. If no acknowledgement is received within a defined period (typically five business days), the timeline may be deemed to have started from the initial contact.

Most CVD policies provide for timeline extensions in specific circumstances. A 'grace period' (typically 14 days) may be granted when a patch is ready but requires additional time for deployment by users — for example, when OTA update infrastructure needs preparation. Extensions for complex systemic vulnerabilities (those affecting widely deployed infrastructure or requiring industry-wide coordination) may be longer. Timeline extensions should be negotiated with the reporting researcher, not unilaterally imposed. The researcher retains the right to publish when the agreed timeline expires, even if no patch is available. Vendors that routinely seek extensions without demonstrated progress lose researcher trust and may find their reports being published without the full coordination period.

When a single vulnerability affects components used across multiple products from different manufacturers — a common scenario with open source libraries or shared silicon — coordinating disclosure across all affected parties significantly complicates the timeline. In these cases, a CVD coordinator (such as ENISA, CERT/CC, or a national CSIRT) typically manages the coordinated multi-party disclosure (CMVD) process. The disclosure timeline is set to allow all affected vendors sufficient time to develop and release patches. Manufacturers should have a defined process for participating in multi-party coordinations, including authority to commit to a disclosure date, a fast-track patch development process, and pre-arranged communication with their customers and distribution channels.

When a manufacturer cannot meet the agreed disclosure timeline — either because a patch cannot be ready in time or because the fix requires architectural changes spanning multiple releases — the options are:

• Publish without a complete fix: Release a security advisory disclosing the vulnerability with available mitigations, accepting that full remediation will follow.
• Negotiate an extension: Agree with the researcher on a specific extended date with concrete progress milestones.
• Publish at deadline regardless: The researcher's right to publish after the deadline is generally respected in the industry.

Failing to communicate with the researcher as the deadline approaches — rather than seeking an explicit extension — consistently leads to surprise public disclosures that damage manufacturer credibility and expose users unnecessarily.