Vulnerability Disclosure: CVD, VDP, Bug Bounty and Responsible Disc.
How are security vulnerabilities responsibly reported and addressed? This article explains Coordinated Vulnerability Disclosure (CVD), the difference between VDP and bug bounty programs, Security.txt (RFC 9116), responsible disclosure policies with safe harbor clauses, bug bounty platforms (HackerOne, Bugcrowd, Intigriti, YesWeHack), scope definition, triage processes, CVSS scoring, payout structures, program metrics, and the legal situation for security researchers in Germany under Section 202a of the German Criminal Code (StGB).
Summary: Bug bounty programs reward external security researchers for responsibly reporting vulnerabilities. Platforms: HackerOne (Apple: up to $1 million, Microsoft, Lufthansa), Bugcrowd, Intigriti (European, GDPR-compliant). Scope definition (in-scope/out-of-scope), severity assessment according to CVSS, triage process, and safe harbor clause (legal protection for researchers). VDP (Vulnerability Disclosure Policy) as a free starting point. BSIG §8b mandates a VDP for KRITIS entities.
Sources & References
- [1] ISO/IEC 29147: Vulnerability Disclosure - ISO
- [2] NCSC: Coordinated Vulnerability Disclosure - NCSC Netherlands
- [3] BSI: Sicherheitslücken verantwortungsvoll melden - BSI
- [4] NIST NVD CVSS Calculator - NIST
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
