Vulnerability Disclosure and Bug Bounty Programs

Vulnerability disclosure and bug bounty programs are structured mechanisms through which organizations receive, process, and respond to externally reported security flaws in their applications, systems, and infrastructure. This page covers the service landscape, program types, operational frameworks, regulatory context, and classification criteria that define this sector of the application security industry. The distinction between coordinated disclosure, bug bounty, and safe harbor arrangements carries concrete legal and operational consequences for both organizations and independent security researchers.

Definition and scope

A vulnerability disclosure program (VDP) is a formalized policy and process by which an organization accepts unsolicited security vulnerability reports from external parties — researchers, customers, or members of the public — and commits to defined handling procedures. A bug bounty program extends this model by attaching financial rewards to confirmed, qualifying vulnerability reports.

The NIST National Vulnerability Database (NVD) and the CERT/CC Coordination Center at Carnegie Mellon University have historically operated as third-party intermediaries for coordinating disclosure between researchers and vendors. ISO/IEC 29147:2018 establishes the international standard for vulnerability disclosure, while ISO/IEC 30111:2019 governs vulnerability handling processes — both published by the International Organization for Standardization.

Scope boundaries in this sector are defined along three axes:

1. Program type — VDP only (no reward), bug bounty (monetary reward), or hybrid (reward tiers by severity)
2. Scope surface — specific domains, IP ranges, mobile applications, or hardware explicitly included or excluded
3. Safe harbor terms — legal protections extended to researchers acting in good faith, often referencing the Computer Fraud and Abuse Act (18 U.S.C. § 1030)

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 20-01 in 2020, requiring all federal civilian executive branch agencies to publish a VDP — marking the first federal mandate of its kind in the United States.

How it works

Operational workflow for both VDP and bug bounty programs follows a defined sequence regardless of whether the program is run internally or through a third-party platform:

1. Policy publication — The organization publishes a security.txt file (per RFC 9116) and a human-readable VDP page specifying scope, communication channels, response timelines, and safe harbor terms.
2. Report intake — Researchers submit findings through a designated channel (email, web form, or managed platform). Reports include reproduction steps, impact assessment, and supporting evidence.
3. Triage — Security staff validate the report, confirm reproducibility, and assign a severity rating — typically using the Common Vulnerability Scoring System (CVSS) maintained by FIRST (Forum of Incident Response and Security Teams). CVSS scores range from 0.0 to 10.0.
4. Remediation — The responsible engineering team patches or mitigates the confirmed vulnerability within the organization's defined SLA window.
5. Disclosure coordination — The organization and researcher agree on a public disclosure timeline. The 90-day coordinated disclosure window, popularized by Google Project Zero, has become a de facto industry standard.
6. Reward issuance — For bug bounty programs, payment is processed upon patch validation. Bounties for critical vulnerabilities on major platforms have ranged from $5,000 to $250,000 depending on asset class and impact.
7. Closure and documentation — The report is closed, a CVE identifier is requested if warranted through MITRE's CVE Program, and internal metrics are updated.

The entire process is documented in CISA's VDP Platform guidance and in the NTIA's 2016 "Early Stage" vulnerability disclosure framework.

Common scenarios

Federal agency compliance deployment — Following BOD 20-01, agencies stood up VDPs covering internet-accessible systems. These programs are typically VDP-only (no bounty), scoped to specific IP ranges, and administered through CISA's shared platform or agency-run portals. The scope excludes classified systems and internal networks.

Commercial bug bounty on a managed platform — Technology companies and financial institutions contract with managed bug bounty platforms to handle researcher onboarding, triage support, and payment processing. In these arrangements, the platform acts as an intermediary and the sponsoring organization sets reward tiers aligned to CVSS severity bands.

Coordinated disclosure outside a formal program — A researcher discovers a critical vulnerability in an organization that has no published VDP. The researcher may engage CERT/CC or a national CSIRT (Computer Security Incident Response Team) as a neutral intermediary. The FIRST PSIRT Services Framework provides guidance for product security incident response teams navigating exactly this scenario.

Public sector critical infrastructure — Sectors regulated under frameworks such as NERC CIP (energy) or TSA cybersecurity directives (pipelines and surface transportation) have sector-specific disclosure expectations that intersect with VDP obligations. Researchers disclosing ICS/SCADA vulnerabilities are often directed through the ICS-CERT channel within CISA.

The Application Security Providers page catalogs service providers operating across these program types.

Decision boundaries

Distinguishing the appropriate program structure requires evaluating three primary decision factors:

VDP vs. Bug Bounty — A VDP without financial reward is appropriate when the organization lacks bandwidth to process high report volumes or cannot commit to bounty payment infrastructure. Bug bounty programs generate significantly higher researcher engagement but require defined triage capacity — industry guidance from HackerOne's public reports indicates organizations running active bounties receive between 50 and 500 submissions per month depending on scope size.

Private vs. Public programs — Private programs restrict participation to invited researchers and control report volume during initial deployment phases. Public programs are open to any researcher and maximize coverage but require mature triage operations. CISA's framework recommends a private or limited phase before public launch for organizations new to disclosure operations.

Self-managed vs. platform-managed — Self-managed programs retain full control of researcher relationships and report data but require internal staffing. Platform-managed programs (operated through specialized intermediaries) offload triage support and researcher credentialing. The describes how security service sectors, including managed disclosure platforms, are classified within this reference structure.

Safe harbor scope — Organizations must explicitly define what researcher actions fall within authorized testing. Without clear safe harbor language referencing 18 U.S.C. § 1030, researchers face legal uncertainty. The Department of Justice's 2022 policy revision on CFAA enforcement clarified that good-faith security research should not be prosecuted under the statute — but this guidance does not substitute for explicit organizational safe harbor language.

For professionals navigating this sector, the Application Security Authority resource overview describes how provider network providers are structured across service categories including disclosure program management.