Security researchers find vulnerabilities in organisations’ systems every day. The question is what happens next. Without a vulnerability disclosure policy, there’s no clear path for reporting those findings. The researcher doesn’t know who to contact, whether they’ll face legal threats for their research, or whether anyone will actually fix the issue.
A vulnerability disclosure policy removes that friction. It tells researchers how to report findings, sets expectations for response times, and provides safe harbour against legal action for good-faith security research.
What a Good Policy Includes
Your vulnerability disclosure policy should publish a dedicated contact method, typically a security email address and ideally a web form. It should define what’s in scope and what’s out of scope. It should commit to acknowledging reports within a reasonable timeframe. And it should provide safe harbour language confirming that you won’t pursue legal action against researchers who follow the policy.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Organisations without a vulnerability disclosure policy are missing a free source of security intelligence. Well-intentioned researchers who find vulnerabilities in your systems need a way to report them. Without a clear process, they either give up and the vulnerability stays open, or they disclose publicly and your reputation takes a hit.”
The UK’s National Cyber Security Centre publishes guidance on creating vulnerability disclosure policies. Following their framework gives you a structure that aligns with industry best practice.
The Business Case for Disclosure Policies
Every vulnerability report you receive through a disclosure policy is a finding you didn’t have to pay for. It’s also a vulnerability you can fix before it gets exploited or disclosed publicly.
Without a policy, researchers face an uncomfortable choice. They can try to find a security contact, often ending up in a customer service queue where their report gets ignored. They can publish the vulnerability publicly, which forces your hand but damages your reputation. Or they can walk away, leaving the vulnerability open for someone with less benign intentions to find.
Complementing Your Testing Programme
A vulnerability disclosure policy doesn’t replace professional security testing. It complements it. Regular web application penetration testing provides systematic, comprehensive assessment of your applications. Vulnerability disclosures from external researchers catch issues between testing cycles or in systems that weren’t included in the assessment scope.
Engaging a best penetration testing company for regular professional testing while maintaining an open disclosure policy gives you the best coverage: structured assessments plus the eyes of the broader security research community.
Getting Started
Publishing a vulnerability disclosure policy takes minimal effort. Draft the policy using NCSC guidance. Create a dedicated email address. Publish the policy on your website. And assign someone to triage incoming reports.
The organisations that benefit most from disclosure policies are the ones that treat reports as valuable intelligence rather than inconvenient interruptions. Every report is an opportunity to fix something before it becomes a breach.