Vulnerability disclosure programs (VDPs) are structured frameworks or processes for organizations to document, submit, and report security vulnerabilities to all other relevant organizations. While VDPs are not currently required by law, the U.S. government encourages vulnerability disclosure programs as a proactive approach to cybersecurity.
A vulnerability disclosure program is a unified process where security researchers, end-users, and the greater cybersecurity community report security flaws/vulnerabilities in a company’s publically accessible, web-facing assets.
Similar to scope, a vulnerability disclosure program should have a detailed step-by-step process for security researchers to follow.
Also known as coordinated or responsible disclosures, vulnerability disclosure programs provide a framework for security researchers to report security issues, vulnerabilities, or bugs to an organization.