Why Every Organization Needs a Vulnerability Disclosure Policy
Security vulnerabilities exist in every system. The question is not whether someone will find them, but what happens when they do. Without a clear pathway for reporting, well-intentioned researchers are left with no safe option — and organizations lose the chance to fix critical issues before they become incidents.
The Problem
Most organizations have no published process for receiving vulnerability reports from external parties. When a researcher discovers an issue, they face a difficult choice: report it through informal channels and risk legal action, post it publicly and risk enabling attackers, or simply walk away and leave the vulnerability unaddressed.
This silence benefits no one. The organization remains exposed, users remain at risk, and the broader security ecosystem loses valuable intelligence about real-world attack surfaces.
What is a VDP?
A Vulnerability Disclosure Policy (VDP) is a published document that tells external security researchers how to report vulnerabilities to your organization. At minimum, it includes:
- A designated security contact (email, form, or platform)
- Scope of systems covered
- Expected response timelines
- Safe harbor language protecting good-faith researchers
- Guidelines on acceptable testing methods
A VDP is distinct from a bug bounty program. Bug bounties offer financial rewards; VDPs simply establish a communication channel. Many organizations start with a VDP and later add a bounty program as their security maturity grows.
What Happens Without a VDP
Without a disclosure policy, organizations commonly experience:
- Reports sent to the wrong people. Vulnerabilities reported to customer support, sales, or general inboxes are frequently ignored, lost, or misunderstood.
- Delayed remediation. Without a defined process, reports sit in queues for weeks or months while the vulnerability remains exploitable.
- Legal risk. Researchers who find no safe harbor language may assume reporting will lead to legal threats — and they are often right.
- Public disclosure without coordination. Frustrated researchers may resort to publishing findings publicly if they receive no response, forcing the organization into reactive crisis management.
Building an Effective VDP
An effective VDP does not need to be complex. The core elements are:
- Clear scope: Define which systems, domains, and applications are in scope for testing. Explicitly list anything that is out of scope.
- Safe harbor: Commit to not pursuing legal action against researchers who follow the policy in good faith. This is the single most important element.
- Response SLAs: Set expectations for acknowledgment (e.g., 3 business days) and resolution timelines (e.g., 90 days for critical issues).
- Preferred channels: Provide a dedicated email address ([email protected]) or use a platform like HackerOne or Bugcrowd to manage intake.
The disclose.io Framework
The disclose.io project provides open-source, standardized VDP templates that organizations can adopt immediately. Their core terms cover the essential legal protections and process guidelines, and they are backed by industry consensus.
Adopting disclose.io's framework signals to the security community that your organization takes vulnerability reports seriously and operates in good faith.
Getting Started
If your organization does not have a VDP, the path forward is straightforward:
- Draft a policy using the disclose.io template as a starting point
- Publish it at
/.well-known/security.txtand on your website - Set up a monitored security contact email
- Brief your legal and engineering teams on the process
- Respond to every report, even if the issue is not actionable
The cost of implementing a VDP is minimal. The cost of not having one — a missed critical vulnerability, a public disclosure without coordination, or a legal conflict with a researcher trying to help — can be significant.
Vulnerability disclosure is not a threat. It is a collaboration. Give it a front door.