Vulnerability Disclosure Policy

“Whoever brings blessing will be enriched, and one who waters will himself be watered.” (Proverbs 11:25).

And yet… sometimes thirsty people just don’t want to drink.

That is what it can feel like as a security researcher when you find a security vulnerability but can’t find a way to contact the company to ethically disclose the issue.

In the industry, this contact method is usually called a Vulnerability Disclosure Policy.

From CISA: “A vulnerability disclosure policy (VDP) is an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible… information systems.”

In our testing engagements, Pen Consultants usually searches the following places for a VDP:

• Client’s Website: “Contact Us” page for security specific instructions
• Client’s Website: Search for “report vulnerability”
• Client’s Website: Search for “vulnerability disclosure policy”
• Client’s Website: Industry standard location /.well-known/security.txt
• Google: site:[client website] vulnerability disclosure policy
• Google: “[client name]” vulnerability disclosure policy
• Email: Send an email to security@ client[.]com

The goal is to make it easy for ethical security testers to report issues, safely and securely.

That way, knowledge, like water, can be easily shared and the blessings of security can be enjoyed by all.