In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in IT-systems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system’s owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost–benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included.

中文翻译：

---

不要开枪！犯罪学和计算机科学对协同漏洞披露的看法

在计算机科学领域，协调漏洞披露是一种常见的做法，用于发现IT系统中的缺陷并将其修补。在这种做法中，在IT系统中发现漏洞的白帽黑客将该漏洞报告给系统所有者。所有者随后将解决问题，此后将公开披露漏洞。这种做法通常不关注可能会利用漏洞而不是报告漏洞的潜在犯罪者或黑帽黑客。在本文中，我们采用跨学科的方法，并从计算机科学和犯罪学的角度回顾了当前的协调漏洞披露实践。我们讨论此实践中的当前问题，这些问题可能会影响使用协作式漏洞披露与利用漏洞的决定。基于不同的动机，将讨论发现漏洞后可能做出的反应的理性选择或成本效益分析。随后，包括对实践的启示和未来的研究建议。