When a vulnerability is discovered, researchers are quick to look for ways to disclose it to your security team. But if an obvious reporting channel is unavailable, researchers are faced with the choice of either doing nothing or disclosing the vulnerability publicly—both of which are extremely undesirable.
A responsible disclosure policy provides researchers with a clear and easy path to alert your security team of a potential vulnerability. It defines what properties are in or out of bounds, what types of vulnerabilities should and shouldn’t be reported, and provides the disclosure method.
Because responsible disclosure policies are an easy way to discover unknown vulnerabilities, every organization should have one. The Department of Defense hosts their program on HackerOne. That’s why they’re recommended by the U.S Department of Justice, promoted by General Motors, and endorsed by everyone from the European Commission to the U.S Food & Drug Administration. And it’s why you need to have a responsible disclosure policy in place now. What’s your plan for responsible disclosure?