Summary
This document is a response from HackerOne Inc. to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) regarding the Product Security Bad Practices Guidance. It emphasizes the necessity of a formal Vulnerability Disclosure Policy (VDP) for all organizations, not just those in critical infrastructure. The document outlines the benefits of VDPs, which include providing a structured method for reporting vulnerabilities, fostering trust among stakeholders, and preventing potential exploitation of security risks. It also discusses the detrimental effects of lacking a VDP, such as mishandling vulnerabilities and damaging trust with stakeholders. Furthermore, HackerOne suggests incorporating additional critical elements into the Bad Practices Guidance, including clear definitions of systems in scope, types of authorized testing, submission processes for vulnerability reports, safe harbor provisions, and expectations for acknowledgment and transparency. The submission concludes with appreciation for CISA and the FBI's efforts in recognizing the importance of VDPs.
