Responsible Disclosure

Vulnerability Disclosure Program (VDP)

A vulnerability disclosure policy is the digital equivalent of “if you see something, say something.” It gives hackers and security researchers clear guidelines for reporting security vulnerabilities to the proper person or team. The HackerOne platform makes it easy to establish an ISO 29147–compliant VDP and work directly with trusted hackers to resolve critical security vulnerabilities.

VDP Pioneers

HackerOne pioneered responsible disclosure. Our VDP structure is based on the recommended practice outlined in the Cybersecurity Framework by the National Institute of Standards and Technology (NIST). Since 2012, HackerOne has partnered with thousands of organizations to unlock the security value of the global hacking community. Now, HackerOne has become the first hacker-powered security vendor to receive FedRAMP authorization.

VDP Pioneers Video



The Power of Policy

Vulnerability disclosure policies direct energy and attention into improving the safety and security of systems and software for the overall population. An effective VDP ensures:

  • Hacker-powered testing conforms to your organization’s needs
  • Submissions arrive in a consistent format through an approved channel
  • Vulnerability reports integrate with existing workflows
Vulnerability Disclosure Policies

Vulnerability Disclosure Policies: 5 Critical Components

Download the Handbook


Adhere to Best Practices

Security forerunners like the US Department of Defense have used hacker-powered programs for years to safely identify vulnerabilities. Through their partnership with HackerOne, these organizations have made VDPs their best practice, guiding the way they work with (and accept submissions from) ethical hackers.

Provide Proof of Compliance

Provide Proof of Compliance

Comprehensive attestation reports mean you can pass security audits with ease and show proof of compliance with frameworks like NIST SP 800-53 Rev. 5 and mandates like CISA Binding Operational Directive 20-01. Quickly access overall program metrics, including mean time to remediate (MTTR), level of vulnerability criticality, and evidence of vulnerability remediation based on the most current application information. White label your submission form to integrate your VDP with your brand.

In Their Words