What is Responsible Disclosure?

Benefit from the knowledge of security researchers by providing them transparent rules for submitting vulnerabilities to your team with a responsible disclosure policy. Your team has been implementing development best practices and have yet to face a security breach, but in the off event a security researcher discovers a vulnerability, it’s important to clarify a process that allows them to safely report the issue to your team. This is referred to as a responsible disclosure policy. To help the web adopt responsible disclosure, we’ve developed an open source responsible disclosure policy your team can utilize for free.

Occasionally a security researcher may discover a flaw in your app. This leaves the researcher responsible for reporting the vulnerability. An ethical hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue, but in the case they do not, they may publicize the exploit to alert the public. Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a security researcher may go about this path. A security researcher may disclose a vulnerability if:

  • They are unable to get in contact with the company.
  • Their vulnerability report was ignored (no reply or unhelpful response).
  • Their vulnerability report was not fixed.
  • They felt notifying the public would prompt a fix.
  • They are afraid of legal prosecution.

While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.

For more information, please read Bugcrowd’s overview about Responsible Disclosure at the following article: