· 2 min read

What is a Vulnerability Disclosure Policy | Definition and Meaning

What is a Vulnerability Disclosure Policy?

A Vulnerability Disclosure Policy (VDP), also known as a Responsible Disclosure Policy, is a set of guidelines and procedures established by an organization to encourage and facilitate the responsible reporting of security vulnerabilities in their software, websites, or systems. The aim of a VDP is to create a channel of communication between the organization and security researchers, ethical hackers, or members of the public who discover security flaws.

How do I implement a Vulnerability Disclosure Policy?

To implement a vulnerability disclosure policy (VDP) start by creating a clear and accessible policy outlining how security vulnerabilities can be reported. Encourage responsible disclosure and assure reporters of non-retaliation. Introduce a security.txt file on your website, containing contact information for security concerns. This standardized approach allows ethical hackers to easily find the right channel for reporting vulnerabilities. Regularly update and review your VDP, ensuring it aligns with the latest security standards and best practices to safeguard your digital assets effectively

A security.txt file is a recognized and standardized format and location for your vulnerability disclosure policy, defined officially by RFC 9116.

Place the security.txt file in either the /.well-known/security.txt URL of your website, or in the root directory as security.txt, for example https://stellastra.com/.well-known/security.txt or https://stellastra.com/security.txt

"security.txt" [helps] organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

RFC 9116

Who uses Vulnerability Disclosure VDP policies?

Major companies with /.well-known/security.txt policies:

The 100,000 most popular websites were scanned by Stellastra based on Open PageRank’s data. See below for limitations on our study.

Our analysis showed that the most popular vulnerability disclosure platforms are:

The vast majority of companies with security.txt files host their own policy, and a large number of other websites use Open Bug Bounty, but such policies are more likely to use a custom tag in their policies, which do not show under Security.txt VDP “policy:” nor “contact:”

For all bug bounty platforms in our database, see our list of the Best Bug Bounty Platforms, ranked by their cyber security risk score.

    Share:
    Back to Blog

    Related Posts

    View All Posts »
    Anti Spam Laws Around the World

    Anti Spam Laws Around the World

    Spam, unsolicited electronic communication, has become a global issue that affects individuals, businesses, and governments alike. Various countries have developed anti-spam laws to protect consumers from unwanted emails, messages, and other forms of digital marketing. These laws vary by region, but they generally focus on requiring consent from recipients, providing clear opt-out mechanisms, and penalizing violators with hefty fines. Below is an overview of key anti-spam regulations from the United States, Canada, New Zealand, Australia, Ireland, and the United Kingdom.

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    Explore the essentials of risk reduction in cyber security and learn how to proactively protect your organization. Uncover strategies for minimizing vulnerabilities, strengthening defenses, and implementing best practices to lower potential cyber threats and ensure robust digital security.

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    Discover how risk transfer in cyber security can safeguard your organization. Learn about strategies to mitigate potential cyber threats by shifting liability, utilizing insurance, and partnering with third-party experts. Explore effective ways to protect your digital assets.