You need to outline how your program handles disclosure. As security transparency becomes more expected in the industry, companies with the most mature security postures follow Coordinated Vulnerability Disclosure. Also, to meet NIST standards, your program must allow for the disclosure of security issues.
Compliance Levels
There are three levels for Coordinated Vulnerability Disclosure compliance.
The available choices are as follows:
Standard
NIST and ISO compliant. The program and the hacker should coordinate to discuss and disclose reports once fixed or closed. The program must address reports within a reasonable time. Coordinate any disclosure or publication plans with the hacker to avoid surprises, and release any publications simultaneously when possible. Make sure all publications redact any private information.
Limited
Limited is similar to Standard but lets you add extra conditions in the Overview free-form text section. HackerOne needs to approve these conditions to keep expectations clear and outcomes predictable. It’s not appropriate to arbitrarily gate disclosure on a case-by-case basis.
To select the Limited option, contact your CSM and they will review the proposed limitations and turn it on for you.
Undeclared
The program doesn't claim compliance with a standard Coordinated Vulnerability Disclosure process. Hackers need to check the full program page for any specific restrictions. In some cases, the program might ask for indefinite non-disclosure for reports. Keep in mind that this approach usually isn’t suitable for VDPs as it could push disclosure to higher-risk channels like email or social media.
Report Statuses & Private Programs
When allowed, disclosure applies to all report statuses. For duplicate reports, coordinate the disclosure timing with the fix for the original report. For informative reports that don’t have a security impact, handle the disclosure as if the issue has been resolved.
Private programs can also choose Standard or Limited Coordinated Vulnerability Disclosure. In these cases, disclosure happens on an external platform (like a blog or academic journal) without mentioning the program’s presence on HackerOne.
Coordinated Vulnerability Disclosure is crucial for internet safety and helps everyone learn from shared information. Some hackers might choose Coordinated Vulnerability Disclosure despite any restrictions from a program. If they do, they need to clearly state their intention at the start of their communication with the program, such as in a note on the report. If the program is a bug bounty, it’s no longer required to pay a bounty. Remember, top-notch programs offer bounties while also supporting Coordinated Vulnerability Disclosure.