What is full disclosure in cybersecurity, and when do researchers use it?

A security research team recently discovered a serious vulnerability in Cursor, a popular AI-assisted code editor. The team decided to publicly disclose the finding, and that decision reignited a long-running debate in the cybersecurity world: when should a vulnerability be made public?
Traditionally, security researchers who find a flaw report it privately to the affected company and give it a reasonable window to develop a fix before saying anything publicly. This approach is known as "responsible disclosure," and its goal is to get the vulnerability patched before malicious actors can exploit it.
But in some cases, researchers conclude that a company isn't moving fast enough, or isn't taking the issue seriously. That's where "full disclosure" comes in: the researcher publishes detailed technical information about the flaw publicly, aiming both to warn users directly and to pressure the company into acting.
Proponents of full disclosure argue the approach gives users the chance to understand their risk and protect themselves. When a flaw stays hidden, users remain exposed without knowing it; public information, by contrast, at least lets them take temporary precautions.
Critics counter that full disclosure can also hand malicious actors a roadmap before a fix is ready. Once technical details of a vulnerability go public, that information reaches defenders and attackers at exactly the same time.
In the Cursor case, the research team said it had contacted the company before publishing its findings. The team judged the response insufficient or too slow, and decided that informing users took priority over waiting any longer.
AI-assisted code editors are especially concerning targets for this kind of vulnerability because they're deeply woven into developers' daily workflows. An attacker who compromises such a tool could potentially gain access to a developer's source code, credentials and other sensitive data.
A middle path known as "coordinated disclosure" has grown more common across the industry in recent years. Under this model, the researcher and the company agree in advance on when and how a vulnerability will be made public, aiming to balance transparency with user protection.
Experts say there's no fixed rule for which approach is "correct" — the right call can depend on the severity of the flaw, how quickly the company responds, and how many users are affected. Each case, in that sense, gets judged on its own terms.
The Cursor case underscores that as AI tools rapidly embed themselves in software development, the debate over how vulnerabilities should be handled is becoming less theoretical and increasingly practical.
Read next

25 years of Google Image Search: how visual search has evolved
Google is marking the 25th anniversary of Image Search with a redesigned, AI-powered gallery that continuously updates based on a user's interests. The overhaul is a reminder of how far the tool has come since launching as a simple keyword-matching feature.

Third-party Android app stores are coming: what the Google-Epic fight changes
Google and Epic Games have jointly withdrawn their attempt to settle the long-running lawsuit reshaping how Android app stores work, clearing the way for a court order to take effect. Google says it will begin hosting rival app stores inside its own Play Store starting next week.

DeepMind CEO calls for an independent body to test frontier AI models
Google DeepMind CEO Demis Hassabis is proposing an independent AI "standards body," modeled on self-regulatory organizations in finance, to test frontier models and develop best practices before release. The idea adds a new angle to the ongoing debate over who should oversee advanced AI.

What is Secure Boot, and how did a decade-old flaw go unnoticed?
Secure Boot, the technology meant to stop malware from hijacking a computer's startup process, has had a bypass hiding in plain sight for more than a decade. The flaw traces back to old, digitally signed software components that Microsoft failed to revoke.

Memory chip shortage: why it's pushing smartphone shipments to record lows
A global shortage of memory chips is squeezing smartphone production, pushing overall shipments to historic lows even as Apple and Samsung, with the scale to secure supply, gain relative market share. Analysts say the crunch reflects surging demand for the same memory chips from AI data centres.