Responsible disclosure (coordinated disclosure) is a process in which a discovered vulnerability is first reported confidentially to the affected vendor or operator. Only after an agreed deadline — typically 90 days — is the vulnerability made public. This gives the vendor time to develop a patch while the public eventually benefits from transparency. In your ISMS you should publish a vulnerability-disclosure policy describing how external security researchers can report vulnerabilities to your organisation. This builds trust and provides a structured intake process.