SecOps
How do you run a vulnerability disclosure program?
A vulnerability disclosure program (VDP) gives external security researchers a clear, legal way to report bugs in your systems. Publish a security.txt file at `/.well-known/security.txt`, define scope (what's in-bounds for testing), set response time commitments, and provide a secure reporting channel. A VDP is the minimum responsible step; a paid bug bounty program is the next level.
Key Considerations
- Publish `security.txt` (RFC 9116) with contact email, PGP key, and policy link — this is the industry standard discovery mechanism
- Define clear scope: which domains, apps, and vulnerability types are in-bounds, and what's explicitly excluded
- Commit to response SLAs: acknowledge reports within 48 hours, triage within 5 business days
- Offer safe harbor language: promise not to pursue legal action against researchers acting in good faith within scope
- Use platforms like HackerOne or Bugcrowd to manage reports if you don't want to build your own intake workflow