How-to guides

Vulnerability disclosure policy (and how to get it right)

Create a robust vulnerability disclosure policy with this ultimate guide.

Tal Morgenstern | August 27, 2023

Every company strives to maintain the highest possible security for their products. Nonetheless, security vulnerabilities are bound to exist in any system. Identifying these vulnerabilities is therefore key. However, what an organization does with its vulnerability data varies from company to company based on its vulnerability disclosure policy.

In this article, we define a vulnerability disclosure policy, discuss its importance for businesses and key components. We then take a look at examples of vulnerability disclosure policies of major companies.

What is vulnerability disclosure policy?

A vulnerability disclosure policy (VDP) enables ethical hackers to discover security vulnerabilities in a company’s products and to report them to the organization. The process of finding and submitting these vulnerabilities is legal, and companies won’t prosecute or press charges against these ethical hackers as long as they follow the company’s specific rules—as outlined in their VDP.

KEY UPDATE: The “Federal Cybersecurity Vulnerability Reduction Act of 2023” requires covered contractors to implement a vulnerability disclosure policy consistent with NIST guidelines and updates the Federal Acquisition Regulation to incorporate these requirements.

Why is a vulnerability disclosure policy important?

A VDP allows ethical hackers and security researchers to submit the vulnerabilities they find in a company’s networks, systems, and applications. This helps these organizations improve their security and reduce the risk of potential vulnerabilities going undiscovered.

A VDP offers organizations numerous advantages:

  • Streamlines and legalizes the vulnerability reporting process
  • Builds trust and faith in their products and services among customers and other stakeholders
  • Shows companies are committed to data protection and information security

Ensuring your organization is in line with government compliance regulations is yet another motivation for publishing a VDP, and this may soon become a legal requirement. For example, the U.S. House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act in 2018, which would make VDPs mandatory for companies.

The key components of a vulnerability disclosure policy

Let’s take a look at the most important elements every organization should include in their VDP to ensure it is comprehensive, unambiguous, and easy to understand for researchers and ethical hackers.

1. Commitment

This section of the vulnerability disclosure policy is mainly directed toward customers, the marketplace, and stakeholders. It communicates the intent, importance, and goals of the policy. It conveys a good-faith commitment to security and to the company’s customers and stakeholders who could potentially be impacted by any security vulnerabilities.

It explains the company’s motivation in creating a VDP and the need for such a public policy. It also covers how the objectives of the VDP will be achieved, such as through vulnerability reporting, and how this would reduce risk and mitigate any damage caused by cyber attacks.

2. Scope

The vulnerability disclosure policy scope indicates which assets the policy covers, which products the policy is applied to, and the types of vulnerability that are applicable. It also outlines the types of vulnerabilities to be reported or dismissed, based on their severity

In addition, it specifies: 

  • What is considered in or out of scope
  • Where efforts are needed and the focus of attention should be
  • What is permitted and prohibited

The scope identifies which products are relevant and those that are not, such as older versions that might not be supported anymore. Organizations may also choose to keep certain products off limits in order to protect intellectual property or sensitive data.

3. Safe harbor

This section of the VDP provides assurance that the organization will not penalize nor take any legal action against those reporting vulnerabilities so long as they abide by the policy. The authorization and safe harbor essentially states that the company “will not take legal action if….” This provides a clear and unambiguous reassurance to any individual willingly participating in the vulnerability disclosure policy that good-faith efforts will not result in initiation of any legal action against them.

As the goal is to create a safe harbor and to build trust with the community of ethical hackers, the wording should therefore be clear and encouraging, not threatening or prescriptive. 

4. Process

This VDP section includes the process or methods vulnerability finders or ethical hackers use to report vulnerabilities. It provides such information as:

  • Where to submit the reports
  • How to submit the reports via email or any other secure web form
  • The specific vulnerability details to be included in the submission.

The process section also deals with what should be covered in the report so that the organization can identify and analyze the vulnerability, including such details as where the vulnerability is located, its potential impact, and any other relevant technical information.

Keep in mind that in most cases, finders are not paid, so requesting too much information may actually result in fewer submissions.

In addition, it is best practice not to accept emailed reports, as this could result in incomplete or unstructured information. A secure web form like the HackerOne Response form can streamline the disclosure process by ensuring all of the required information is provided.

Another recommended practice is to allow ethical hackers and researchers to submit their vulnerability reports anonymously, without fear of legal repercussions or misuse of their personal data, which would otherwise discourage them from submitting vulnerabilities.

The process section also outlines the organization’s timeframe for notifying the individual submitting the vulnerability report that it has been received.

5. Preferences

In a VDP, this non-binding section lays out how the organization prefers to handle vulnerability report assessment as well as their priorities in this regard. This includes the anticipated response time once a report has been submitted. 

In addition, the preferences section details: 

  • Confirmation of a reported vulnerability
  • Follow-up communication throughout the vulnerability remediation process
  • Whether finders have permission to disclose the detected vulnerabilities publicly, and when they can disclose it.

6. Important guidelines

Every company should outline important guidelines in their VDP to set boundaries and rules for ethical hackers. These guidelines should include requests to provide notifications as soon as a security vulnerability has been detected and that discovered exploits should not be used to further compromise data integrity.

Vulnerability disclosure policies and security testing platforms

Most reputable companies today have publicly available VDPs, thereby encouraging researchers to test their systems through legal means and helping the organization maintain compliance requirements.

But attracting quality researchers and ethical hackers isn’t always so easy due to the sheer number of organizations accepting vulnerability submissions. Because of this, many companies rely on third-party services and platforms to gain greater visibility among the research community, allowing them to reach some of the best researchers out there. And for researchers, it makes it easy to find companies that are open to testing of their systems.

Let’s take a look at some of the most popular companies and platforms offering such services.

1. Bugcrowd

This crowdsourced security platform offers a paid service to help organizations identify security loopholes in their system. Bugcrowd also enables independent researchers to take part in the bug bounty programs of various companies. For the companies, this offers more comprehensive and holistic insights into their security posture, revealing any blind spots in the system.

2. HackerOne

HackerOne is an attack resistance management platform combining the expertise of independent and in-house ethical hackers with asset discovery and continuous assessment to reduce and close security gaps in an organization’s systems. Companies can choose to be featured on the platform as open for discovery, enabling independent hackers to find vulnerabilities in their systems and get rewarded. The platform also offers tutorials and beginner ethical hacking courses.

3. Synack

Synack is a security testing platform offering organizations a wide range of services from penetration testing, vulnerability management, and cloud security to help with their bug bounty programs. Companies can opt for continuous or on-demand security testing, per their use case.

Examples of company vulnerability disclosure policies

Next, let’s take a look at how some of the companies are using VDPs to the organization’s benefit.

1. Oracle

Oracle’s VDP notes that the company prevents undue risks to their customers by not providing any extra information about the vulnerabilities apart from what is provided in their Security Alert or Critical Patch Update. Oracle takes details of vulnerabilities from advisory and prerelease notes, readme files, preinstallation notes, and their Security Alert FAQs.

Oracle also provides the same information to all its customers to ensure customer equality and does not provide any information to individual customers in advance. Moreover, Oracle does not distribute proof-of-concept code or active-exploit code for vulnerabilities in their products.

2. Unilever

According to Unilever, once a vulnerability has been reported, they address the vulnerability, investigate and verify it, and then release a software update or patch. The company asks their researchers to provide them adequate time to do this and keep the vulnerability information confidential until then. In cases where they are unable to release a patch quickly or at all, they provide information on recommended mitigations. Unilever’s VDP stipulates that it must keep the researcher informed of each step in this ongoing process.

3. Netflix 

Netflix’s bug bounty program pays ethical hackers for unique vulnerabilities they report—that is, if they were first to report the vulnerability. If the discovery of a unique vulnerability leads the company to make code or configuration changes, the individual will be recognized in their Security Researcher Hall of Fame. Netflix commits to remediation of the vulnerability within 7 days of submission.

4. Apple

Apple has a well-defined vulnerability disclosure policy in which the company notes that they do not disclose any security issue until a full investigation has been conducted and any required patches are available for release. They prefer to keep their security information in-house and proprietary as much as possible. Despite Apple’s efforts to keep their vulnerability policy under wraps until the investigation is complete, they do allow outsiders to test their products and report security vulnerabilities.

5. Microsoft

Microsoft reports vulnerabilities to CERT-CC and sets deadlines for disclosure and for providing fixes. The tech giant collaborates with vendors and interested parties to remediate the vulnerabilities in order to help ensure a secure development environment for their users.

The company generally remediates the vulnerabilities before they are published. In cases where the public is at risk, however, Microsoft discloses vulnerabilities while the investigation is still underway or prior to the agreed-upon disclosure date.

In addition, they provide transparent updates to vendors on their progress and test their solutions with vendors before their release. Once the patch is ready to be released, Microsoft determines the disclosure timelines together with the vendors.

The value of VDPs

In addition to internal security teams, private security contractors, and third-party vendors who play an integral role in the vulnerability detection process,, the community of independent researchers and ethical hackers are key players. With each of these individuals attempting to penetrate the system in different ways, researchers and hackers can help identify vulnerabilities in your system that may otherwise go undetected. 

A comprehensive VDP offers a legitimate platform with a clearly defined process for reporting vulnerabilities, ensuring finders can contribute to the detection process without the fear of repercussions or legal actions against them. 

Identifying vulnerabilities is only the first step in the vulnerability management process and in keeping your systems secure. Every reported vulnerability must also be properly tracked, investigated, and mitigated to keep your business’ security risk as low as possible.

The Vulcan Cyber® risk management platform aggregates data from all of your existing tools, automatically enriching your cyber risk data with relevant prioritization context and providing actionable remediation insights. Get your free trial, and start owning your risk.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy