Responsible disclosure (also "coordinated disclosure") is the practice in which a researcher who discovers a vulnerability privately notifies the affected project, gives the project time to patch, and only then publishes, usually after the fix is deployed and any users at risk have been moved to safety.
For Web3 the calculus is sharper than in classic infosec:
- A vulnerability in deployed code is usually exploitable by anyone, immediately, irreversibly.
- The financial value at stake is often visible on-chain.
- The same publication that informs users informs the next attacker.
Responsible disclosure in this context typically means contacting the project (via security@ or an Immunefi listing) before doing anything else, allowing them to draft mitigations and warn users, and only publishing the technical details after funds are safe.
Projects need to make responsible disclosure easy: a published security email, a bug bounty with a clear scope, and a stated SLA for triage. If reaching the team is harder than exploiting the bug, expect the bug to be exploited.