Responsible Disclosure refers to the best practice followed by most security researchers of not disclosing a critical vulnerability in a software product until a vendor patch or fix has been made readily available. This often comes into play when teams such as Google’s Project Zero, a team created to discover and fix security flaws, discover a vulnerability, and do not disclose the information to the public. The reason that the security analysts and researchers aren’t able to share the information publicly is that hackers and cyber criminals are often much faster to attack and exploit the vulnerability announced than vendors can produce a patch, and customers can deploy that patch to provide protection to themselves and their networks, data, and systems. That is why this is called Responsible Disclosure and is considered a best practice though no laws exist to compel security researchers to follow this.
Source: CSO Online
Should SMB’s be familiar with Responsible Disclosure?
Yes. Many SMB’s develop software for online distribution and use. As the owner of an SMB, you should consider advertising a Bug Bounty program for your product that encourages “responsible disclosure” by security researchers. This is a little financial incentive for people who find a critical flaw in your software, to bring it to you instead of selling it on the Dark or Deep web.
Secondly, SMB’s should have a Vulnerability Alert Management Process (aka: VAMP) that outlines the target timelines for patching critical vulnerabilities in the software and hardware you use to run your business. For Severity 1 bugs which could remotely compromise your network, data, or systems you need to patch ASAP.
CyberHoot has a VAMP process to help guide SMB’s to developing their own best practices relating to Zero-Day vulnerabilities, patching, and responsible disclosure.