We recently started a blog series that explores the value of bug disclosure and how we at Bugcrowd approach disclosure between researchers and our customers. Kymberlee’s upcoming posts will continue to dive into the details on our blog, I encourage you to read the beginning of the series below…
When it comes to disclosure, Bugcrowd encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. Our Standard Disclosure Terms and Researcher Code of Conduct outline our public disclosure policy, but each organization defines their own unique public disclosure policy of vulnerabilities reported through their bounty program. This document is intended to explain the disclosure options at Bugcrowd to both customers and crowd members.
…
We believe that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process when both parties are on the same page. It is important for security researchers to adhere to the defined disclosure policies of each unique bounty program when considering disclosure. It is also becoming more and more important for organizations running crowdsourced security programs to embrace the work coming out of their programs, and consider engaging in some form of coordinated disclosure.