Sign InSign Up

What is a Vulnerability Disclosure Policy | Definition and Meaning

Last modified on Wednesday, May 8, 2024

3 minute read

Defining Vulnerability Disclosure Policy VDP

What is a Vulnerability Disclosure Policy?

A Vulnerability Disclosure Policy (VDP), also known as a Responsible Disclosure Policy, is a set of guidelines and procedures established by an organization to encourage and facilitate the responsible reporting of security vulnerabilities in their software, websites, or systems. The aim of a VDP is to create a channel of communication between the organization and security researchers, ethical hackers, or members of the public who discover security flaws.

How do I implement a Vulnerability Disclosure Policy?

To implement a vulnerability disclosure policy (VDP) start by creating a clear and accessible policy outlining how security vulnerabilities can be reported. Encourage responsible disclosure and assure reporters of non-retaliation. Introduce a security.txt file on your website, containing contact information for security concerns. This standardized approach allows ethical hackers to easily find the right channel for reporting vulnerabilities. Regularly update and review your VDP, ensuring it aligns with the latest security standards and best practices to safeguard your digital assets effectively

A security.txt file is a recognized and standardized format and location for your vulnerability disclosure policy, defined officially by RFC 9116.

Place the security.txt file in either the /.well-known/security.txt URL of your website, or in the root directory as security.txt, for example https://stellastra.com/.well-known/security.txt or https://stellastra.com/security.txt

RFC 9116 - "security.txt" [helps] organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

Vulnerability Disclosure Policy Adoption

Adoption of Vulnerability Disclosure is classified below. This snapshot is taken from Stellastra's database of 7443 cyber security companies. As can be seen from the graph, 3.1% of cyber security companies have adopted a cyber security vulnerability dislosure policy.

Percentage of Cybersecurity Companies with Vulnerability Disclosure Policies

7443 Companies. Last Updated March 2024.

Who uses Vulnerability Disclosure VDP policies?

Major companies with /.well-known/security.txt policies:

What is the most popular Vulnerability Disclosure Policy and Bug Bounty Platform?

The 100,000 most popular websites were scanned by Stellastra based on Open PageRank's data. See below for limitations on our study.

Our analysis showed that the most popular vulnerability disclosure platforms are:

Market Share of Bug Bounty and Vulnerability Disclosure Policy Companies

Breakdown based on 100,000 companies using Open Page Rank's list of sites

Last Updated March 2024

The vast majority of companies with security.txt files host their own policy, and a large number of other websites use Open Bug Bounty, but such policies are more likely to use a custom tag in their policies, which do not show under Security.txt VDP "policy:" nor "contact:"

For all bug bounty platforms in our database, see our list of the Best Bug Bounty Platforms, ranked by their cyber security risk score.

Share this article

Stellastra The Cyber Security Comparison Platform

© 2024 Stellastra Ltd. All rights reserved. All names, logos, trademarks, et al, belong to their respective owners. No endorsement or partnership is necessarily implied between company and Stellastra and vice versa. Information is provided for convenience only on an as is basis. For the most up to date information, contact vendor directly. Scores including email security, SPF, and DMARC are calculated based on Stellastra's algorithms and other analyses may return different results.



About StellastraContact usCyber Security Risk ScoreEmail Deliverability ToolStellastra Discover

Stay up to date

Stellastra The Cyber Security Comparison Platform