Editing Vulnerability (computer security) (section)

===Disclosure===
Someone who discovers a vulnerability may disclose it immediately ([[Full disclosure (computer security)|full disclosure]]) or wait until a patch has been developed ([[Coordinated vulnerability disclosure|responsible disclosure]], or coordinated disclosure). The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available.<ref>{{cite web |title=Ask an Ethicist: Vulnerability Disclosure |url=https://ethics.acm.org/integrity-project/ask-an-ethicist/ask-an-ethicist-vulnerability-disclosure/ |website=[[Association for Computing Machinery]]'s Committee on Professional Ethics |access-date=3 May 2024 |date=17 July 2018}}</ref> Some vendors pay [[bug bounty|bug bounties]] to those who report vulnerabilities to them.{{sfn|O'Harrow|2013|p=18}}{{sfn| Libicki|Ablon|Webb|2015|p=45}} Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead.{{sfn|Strout|2023|p=36}}  There is no law requiring disclosure of vulnerabilities.{{sfn|Haber |Hibbert|2018 |p=110}} If a vulnerability is discovered by a third party that does not disclose to the vendor or the public, it is called a [[zero-day vulnerability]], often considered the most dangerous type because fewer defenses exist.{{sfn|Strout|2023|p=22}}