The US Federal Trade Commission (FTC) and Department of Justice (DOJ) are signaling that in the future organizations must have some form of vulnerability disclosure program (VDP) that lets good-faith security researchers report bugs. Most organizations lack any kind of VDP at all. A recent HackerOne study found that 94 percent of the Forbes Global 2000 do not have any way for researchers to report security issues.
A VDP offers a secure channel for researchers to report security issues and includes some process for triaging and mitigating those bugs in an appropriate manner. A VDP has become an industry best practice, and regulators and law enforcement are paying attention.