Writing a Responsible Disclosure Policy That Security Researchers Will Actually Use

Security researchers are selective about where they report. A company with a clear, comprehensive disclosure policy receives vulnerability reports. A company with a vague policy — or no policy — receives reports only from researchers who have already decided to work with you anyway. The policy itself filters the population of reporters you get.

What a Good Policy Includes

Scope — what is in and what is out

Be explicit about which systems and domains are in scope for testing. List systems explicitly out of scope (typically: third-party services, social engineering, physical security). Researchers who find a vulnerability in an out-of-scope system deserve a thank-you and a referral, not confusion about whether they violated the policy.

Safe harbour language

If you don't explicitly say you won't pursue legal action against researchers who follow your policy, researchers with any legal sophistication won't report to you. The safe harbour section should explicitly state that testing within scope, conducted in accordance with the policy, is authorised and you will not pursue legal action.

Response time commitments

Commit to specific timelines: how long until initial acknowledgement (72 hours is the industry standard), how long until triage completion (7 days), and how long until a fix is deployed (dependent on severity). Make commitments you can keep — a missed commitment damages trust more than a longer timeline communicated upfront.

Reward policy

If you offer bounties, publish the ranges. Vague 'we may offer recognition' language is not credible. If you don't offer monetary rewards, say so directly — some researchers prefer to report to companies that don't pay, because it removes commercial motivations from the relationship.