Vulnerability Disclosure

Vulnerability disclosure is the process by which security researchers report discovered vulnerabilities to affected vendors and the vulnerabilities are subsequently fixed and publicly documented. Responsible disclosure (also called coordinated disclosure) involves privately notifying the vendor and allowing a reasonable timeframe for a fix before public disclosure — typically 90 days.

Key components of a disclosure program include: a security.txt file or security@ email for receiving reports, a clear vulnerability handling process, defined response time commitments, a safe harbor policy for good-faith researchers, and a process for issuing CVEs for confirmed vulnerabilities.

Organizations can formalize their disclosure process through a Vulnerability Disclosure Policy (VDP), which differs from a bug bounty in that it doesn't offer monetary rewards but provides legal safe harbor and acknowledgment for reporters.

How APVISO tests for this: APVISO helps organizations maintain a strong security posture alongside their disclosure program. By continuously testing your applications, APVISO reduces the number of vulnerabilities that external researchers might find, allowing your security team to focus on responding to novel submissions.