image: Nextgov

Do you need a vulnerability disclosure program? The feds say yes

August 7, 2018


The US Federal Trade Commission (FTC) and Department of Justice (DOJ) are signaling that in the future organizations must have some form of vulnerability disclosure program (VDP) that lets good-faith security researchers report bugs. Most organizations lack any kind of VDP at all. A recent HackerOne study found that 94 percent of the Forbes Global 2000 do not have any way for researchers to report security issues.

A VDP offers a secure channel for researchers to report security issues and includes some process for triaging and mitigating those bugs in an appropriate manner. A VDP has become an industry best practice, and regulators and law enforcement are paying attention.

Read More on CSO Online