Skip to main content

Disclosure Policy

What is a Vulnerability Disclosure Policy?

A Vulnerability Disclosure Policy (VDP) is a public document that tells security researchers how to report vulnerabilities to your organization. It defines what systems are in scope, how to submit a report, what to expect after submitting, and what legal protections apply to good-faith research.

Most security frameworks and regulatory bodies expect organizations to publish a VDP. Without one, researchers may not report issues at all — or may disclose them publicly without giving you a chance to fix them first.

How Faultlean Helps

Faultlean generates a VDP from a template based on your organization's settings and assets. The template covers the core elements that major frameworks require: a reporting channel, defined scope, safe harbor protections, communication commitments, and coordinated disclosure expectations.

The generated policy is fully editable. You can refine the language, add organization-specific sections, or restructure it as needed. The template is a starting point, not a constraint.

Editing the Policy

The Disclosure Policy page is a document editor. The main area is the policy content in Markdown. Edit it directly and save your changes.

The toolbar provides access to:

  • View Public Page — opens the published version of your policy as it appears to visitors.
  • Version History — shows all published versions with timestamps and change summaries. Useful for compliance audits that ask "what was your VDP on a given date?"
  • Regenerate from Template — replaces the current content with a fresh version generated from your organization settings and assets. This opens a dialog where you can review and update the template parameters (security contact methods, acknowledgement timeline, policy URL) before regenerating. This is a destructive action — the current content will be replaced.
  • Publish New Version — creates a versioned snapshot of the current content. Each published version is immutable and timestamped.

Template Parameters

When generating or regenerating a policy from the template, three settings control what appears in the output:

  • Security contact methods — how researchers should submit reports (email address, reporting form URL, or other channels).
  • Acknowledgement timeline — how quickly your organization commits to acknowledging receipt of a report.
  • Policy URL — the public URL where the policy is hosted. Defaults to the Faultlean-hosted page, but you can point it to your own site.

These settings are also available on the Organization Settings page.

Publishing and Versions

Publishing creates an immutable snapshot of the current policy content. Each version is numbered and timestamped. The most recent published version is what visitors see on your public VDP page.

You can publish as many versions as needed. Prior versions remain accessible for audit purposes.

Saving changes to the editor does not publish them. You must explicitly publish to make changes visible on the public page.

How the Template Aligns with VDP Frameworks

The Faultlean VDP template aligns with guidance and standards from:

  • NTIA Early Stage Vulnerability Disclosure Program Template
  • CISA Vulnerability Disclosure Program (VDP) Guidance
  • U.S. Department of Justice (DOJ) vulnerability disclosure guidance
  • SAFECode Framework for a Software Vulnerability Disclosure Program (SFAA)
  • ISO/IEC 29147: Vulnerability Disclosure

The template is intentionally minimal while still satisfying the core expectations of these frameworks.

Core Elements

Modern vulnerability disclosure frameworks generally expect organizations to provide five core elements:

  1. A clear method for reporting issues
  2. Defined scope for testing
  3. Safe harbor protections for good-faith researchers
  4. Commitments for communication and remediation
  5. Support for coordinated disclosure

The template includes all of these elements in a concise, readable format.

NTIA Early Stage VDP Template

The National Telecommunications and Information Administration (NTIA) published an early-stage VDP template to help organizations launch responsible disclosure programs with minimal overhead. The template VDP aligns closely with the structure and goals of the NTIA model.

  • Welcoming Security Research — The Commitment to Security section explicitly welcomes participation from security researchers and ethical hackers.
  • Defined Reporting Process — The Security Contact and Reporting an Issue sections describe how reporters can submit findings and what information should be included.
  • Defined Scope — The Scope section identifies systems and services covered by the program.
  • Safe Harbor — The Safe Harbor section provides explicit authorization for testing conducted in accordance with the policy.
  • Coordination Before Disclosure — The Coordinated Disclosure section reflects the NTIA guidance that researchers should allow organizations time to investigate and remediate issues before public disclosure.

CISA Vulnerability Disclosure Guidance

CISA recommends that organizations publish a Vulnerability Disclosure Program that includes a public reporting channel, a statement welcoming security research, clear scope, safe harbor protections, and commitments to response and coordination.

  • Public Reporting Channel — The Security Contact and Reporting an Issue sections provide one or more reporting mechanisms.
  • Encouragement of Security Research — The Commitment to Security section explicitly welcomes the work of security researchers.
  • Scope Definition — The Scope section clearly identifies systems and services covered by the program.
  • Safe Harbor — The Safe Harbor section includes language commonly recommended by CISA: good-faith research support, authorization for testing, expectations for responsible testing, and requirements for legal compliance.
  • Coordination Expectations — The Coordinated Disclosure section asks reporters to allow time for investigation and remediation before public disclosure.

DOJ Vulnerability Disclosure Guidance

The U.S. Department of Justice encourages organizations to publish policies that make clear that good-faith research will not be treated as criminal activity.

  • Authorization for Testing — The Safe Harbor section states that testing conducted in accordance with the policy is considered authorized. This language is important because many computer misuse laws depend on the concept of authorization.
  • Commitment Not to Refer Researchers for Prosecution — The policy includes a statement that the organization will not refer good-faith research to law enforcement.
  • Responsible Research Expectations — The policy defines boundaries for acceptable testing behavior, including restrictions on service disruption, denial-of-service testing, social engineering, and unauthorized access to user data.

SAFECode VDP Framework (SFAA)

The SAFECode framework outlines best practices for vulnerability disclosure programs in the software industry.

  • Clear Intake Process — The Security Contact and Reporting an Issue sections establish a clear intake channel for reports.
  • Reproducible Reports — The reporting guidance requests steps to reproduce the issue, affected assets, conditions required to trigger the issue, and potential impact.
  • Fair Attribution — The policy includes guidance that reports are reviewed in the order received, and credit is generally given to the first reporter who provides sufficient information.
  • Researcher Communication — The Our Commitment to Reporters section commits to acknowledging reports, communicating during investigation, and recognizing reporters when appropriate.

ISO/IEC 29147

ISO/IEC 29147 is an international standard that describes how vendors should communicate with security researchers and coordinate vulnerability disclosure.

  • Public Disclosure Policy — ISO 29147 expects vendors to publish a vulnerability disclosure policy. The template provides a complete policy suitable for public publication.
  • Reporting Mechanism — The Security Contact section provides a clear reporting channel.
  • Vendor Acknowledgement — The Our Commitment to Reporters section commits to acknowledging reports within the specified timeline.
  • Communication During Analysis — The policy states that the organization may communicate with reporters during investigation and may request additional information.
  • Coordination Before Public Disclosure — The Coordinated Disclosure section supports coordinated release of vulnerability information after remediation.

Operational Safeguards

The template also includes safeguards commonly used in mature vulnerability disclosure programs:

  • Limiting Disruptive Testing — Testing must avoid disruption to systems or services and must not affect other users.
  • Preventing Data Harvesting — The Safe Harbor section requires researchers to stop testing and report immediately if they gain access to data that does not belong to them.
  • Reducing Automated Scanner Reports — The reporting guidance requests sufficient detail and reproduction steps, which helps filter out low-quality automated scanner submissions.
  • Handling Duplicate Reports — The policy clarifies that credit is generally given to the first reporter who submits a complete, reproducible report.