What is a Vulnerability Disclosure Policy | Definition and Meaning
Last modified on Wednesday, May 8, 2024
3 minute read
What is a Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy (VDP), also known as a Responsible Disclosure Policy, is a set of guidelines and procedures established by an organization to encourage and facilitate the responsible reporting of security vulnerabilities in their software, websites, or systems. The aim of a VDP is to create a channel of communication between the organization and security researchers, ethical hackers, or members of the public who discover security flaws.
How do I implement a Vulnerability Disclosure Policy?
To implement a vulnerability disclosure policy (VDP) start by creating a clear and accessible policy outlining how security vulnerabilities can be reported. Encourage responsible disclosure and assure reporters of non-retaliation. Introduce a security.txt file on your website, containing contact information for security concerns. This standardized approach allows ethical hackers to easily find the right channel for reporting vulnerabilities. Regularly update and review your VDP, ensuring it aligns with the latest security standards and best practices to safeguard your digital assets effectively
A security.txt file is a recognized and standardized format and location for your vulnerability disclosure policy, defined officially by RFC 9116.
Place the security.txt file in either the /.well-known/security.txt URL of your website, or in the root directory as security.txt, for example https://stellastra.com/.well-known/security.txt or https://stellastra.com/security.txt
RFC 9116 - "security.txt" [helps] organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.
Vulnerability Disclosure Policy Adoption
Adoption of Vulnerability Disclosure is classified below. This snapshot is taken from Stellastra's database of 7443 cyber security companies. As can be seen from the graph, 3.1% of cyber security companies have adopted a cyber security vulnerability dislosure policy.
Percentage of Cybersecurity Companies with Vulnerability Disclosure Policies
7443 Companies. Last Updated May 2024.
Who uses Vulnerability Disclosure VDP policies?
Major companies with /.well-known/security.txt policies:
What is the most popular Vulnerability Disclosure Policy and Bug Bounty Platform?
The 100,000 most popular websites were scanned by Stellastra based on Open PageRank's data. See below for limitations on our study.
Our analysis showed that the most popular vulnerability disclosure platforms are:
Market Share of Bug Bounty and Vulnerability Disclosure Policy Companies
Breakdown based on 100,000 companies using Open Page Rank's list of sites
Last Updated May 2024
The vast majority of companies with security.txt files host their own policy, and a large number of other websites use Open Bug Bounty, but such policies are more likely to use a custom tag in their policies, which do not show under Security.txt VDP "policy:" nor "contact:"
For all bug bounty platforms in our database, see our list of the Best Bug Bounty Platforms, ranked by their cyber security risk score.
Share this article
