What is a vulnerability disclosure policy?

A VDP is a public document that tells security researchers what they may test, how to report what they find, and what they can expect in return. It is the front door for coordinated disclosure and is increasingly expected of any organization with an online presence.

What is a safe-harbor statement?

A safe-harbor clause promises not to pursue legal action against researchers who act in good faith and within the policy. It is the single most important element for encouraging reports, because researchers will not test if they fear prosecution.

How is a VDP different from a bug bounty?

A VDP is a policy for accepting and handling reports and does not necessarily pay. A bug bounty adds monetary rewards on top of a VDP. You can run a VDP with public recognition only, or layer a paid bounty on later.

Where should I publish the policy?

Host it at a stable URL and reference it from a security.txt file at /.well-known/security.txt so automated tools and researchers can discover it. A discoverable policy gets far more useful reports than one buried in a footer.

What response timelines should I commit to?

Common targets are acknowledging within one to two business days, triaging within about five, and resolving by severity within thirty to ninety days. Commit only to what you can actually meet, because missed commitments damage trust with researchers.

Vulnerability Disclosure Policy Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Open the front door for security researchers

Researchers will only report vulnerabilities to organizations that make it safe and clear to do so. This builder produces a complete, professional vulnerability disclosure policy with the elements that matter most — explicit scope, a reporting channel, a safe-harbor promise, and concrete response timelines — so good-faith reports reach you instead of going public or unreported.

How it works

You provide your organization name, then list which assets are in scope and which are explicitly out of scope so testers know the boundaries. You set the reporting channel, choose acknowledge, triage, and resolution time commitments, and decide whether to include a safe-harbor statement and what recognition you offer — public credit, private thanks, or a paid bounty. The builder assembles these into the standard VDP sections: introduction, scope, how to report, researcher expectations, safe harbor, recognition, and your response commitments. The safe-harbor section is what converts cautious researchers into active reporters.

Tips and example

Keep in-scope and out-of-scope lists concrete — list *.acme.com web properties rather than a vague “our systems”.
Always exclude denial-of-service and social engineering unless you specifically want them tested.
Include the safe-harbor clause; without it, many researchers will simply walk away or disclose publicly.
Publish the result and reference it from /.well-known/security.txt so it is automatically discoverable.