LOGBOOK

HELP

Quiz Entry - updated: 2026.06.23

You lead a widely deployed web product and someone reports a security flaw. What should your response look like?

Triage and confirm it fast, develop and test a fix under wraps, coordinate the disclosure timeline with the reporter, then ship the patch and notify customers — don't ignore it and don't tip off attackers before the fix is out.

Imagine your product is used by 100+ customers and millions of daily users, and a flaw lands in your inbox. The wrong reactions are the tempting ones: ignore it, dismiss the reporter, or rush a public statement before a fix exists (which just hands attackers a roadmap). The professional response is responsible / coordinated disclosure:

  1. Acknowledge and triage — confirm the report is real and assess severity (e.g. with CVSS). Reporters who get silence often go public out of frustration.
  2. Fix privately — develop and test a patch without broadcasting the details while users are still exposed.
  3. Coordinate the timeline — agree a disclosure date with the reporter; this is also where a CVE ID gets requested so everyone can track the issue.
  4. Release and inform — push the patch, then notify customers so they actually apply it; a fix nobody installs protects no one.

Why a process matters: the window between "flaw is known" and "patch is deployed" is exactly when breaches happen (recall that over a quarter of organisations were breached via unpatched flaws). A calm, rehearsed disclosure process shrinks that window instead of widening it through panic or denial.

From Quiz: SPRG / Secure Programming Introduction | Updated: Jun 23, 2026