Vulnerability Disclosure Policy

Vulnerability Disclosure Policy,
a structured, easy and accessible way for anyone to report vulnerabilities

Cybercrime is an ever-increasing problem due to organisations’ rapid digital transformation and the growing sophistication of threats.

Goodwill security researchers can help, but they need a safe & clear framework to inform you. Such reporting can provide you with valuable information to improve the security of your systems.

It is really in your best interest to encourage responsible and organized disclosure of vulnerabilities.

WHAT IS A
VULNERABILITY DISCLOSURE POLICY?

A Vulnerability Disclosure Policy (VDP) is a secure and structured channel that allows anyone to report security issues and vulnerabilities to exposed organisations. 

VDP by is detailed by ISO29147 and ISO30111 and actively promoted as a best practice by governmental bodies such as NIST, ENISACISA, OECD.

WHY DO ORGANISATIONS NEED A
VULNERABILITY DISCLOSURE POLICY?

+
Reduce risk by shortening time-to-remediation
+
Demonstrate your commitment to security and build trust among your partners, customers and users
+
Streamline vulnerability management through data integration within your internal workflows

THE DIFFERENCES BETWEEN VDP AND BUG BOUNTY

VDP = PASSIVE APPROACH

WHY
Gather potential vulnerabilities
HOW
Set up a communication channel on a dedicated webpage. Your Policy does not appear on our platform
WHO
Anyone acting in good faith who wishes to report a bug
REWARD
No expectation of financial reward – only a "thank you" / Hall of Fame is given

BUG BOUNTY = ACTIVE APPROACH

WHY
Encourage vulnerability research
HOW
Set up a detailed program (public or private) display on YesWeHack platform (scopes, rules & reward grid)
WHO
Selected security researcher or the whole YesWeHack community
REWARD
Pre-established and communicated financial reward grid
Discover YesWeHack's VDP solution

Need more information?

Close