Responsible Disclosure
Safeguard articles tagged "Responsible Disclosure" — guides, analysis, and best practices for software supply chain and application security.
12 articles
How to Report a Security Vulnerability
You found a security bug — now what? This beginner guide walks through reporting a vulnerability responsibly, from finding the right contact to writing a clear report.
Ethical hacking techniques, mapped to a responsible disclosure workflow
Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.
How to Scan Large GitHub Orgs for Exposed Secrets Responsibly
28.65 million new secrets landed on public GitHub in 2025 alone. Here's a research methodology for finding them at scale without becoming the next incident.
A practical guide to bug bounty hunting
HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.
What is Responsible Disclosure
What responsible disclosure means, how 45-90 day timelines work in practice, and how coordinated CVE reporting like Log4Shell actually played out.
What is a Vulnerability Disclosure Program
What a vulnerability disclosure program actually is, how it differs from a bug bounty, and what CISA, ISO, and the EU CRA now require of it.
Coordinated Vulnerability Disclosure: A Complete Guide
Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that works for all parties, whether you are the reporter or the vendor.
How to Write a Vulnerability Disclosure Policy Developers Respect
Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.
Vulnerability Disclosure Policy Template
A practical template for creating a vulnerability disclosure policy, with guidance on safe harbor provisions, response timelines, and researcher relationships.
Responsible Disclosure in Open Source: The Messy Reality
Responsible disclosure sounds simple in theory. In practice, coordinating vulnerability disclosure across open source projects with no budgets, no SLAs, and no obligation to respond is an exercise in patience and diplomacy.
Bug Bounty Programs with a Supply Chain Focus
Traditional bug bounty programs miss supply chain vulnerabilities. Here's how to design a bounty program that incentivizes researchers to hunt in your dependency chain.
Vulnerability Disclosure Programs: Building Trust with Security Researchers
A well-designed vulnerability disclosure program turns external researchers into force multipliers for your security team. A poorly-designed one guarantees your vulnerabilities end up on Twitter instead of your inbox.