Safeguard
Tag

vulnerability-disclosure

Safeguard articles tagged "vulnerability-disclosure" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Concepts

What Is a CVE Numbering Authority (CNA)?

A CNA is an organization authorized to assign CVE identifiers to vulnerabilities in its scope. Here is how CNAs work and why they shape how fast a flaw becomes citable.

Nov 11, 20255 min read
Vulnerability Management

Best bug bounty and vulnerability disclosure platforms

A practical buyers guide to bug bounty platforms and vulnerability disclosure program software, comparing HackerOne, Bugcrowd, Intigriti, YesWeHack, and more.

Nov 6, 20258 min read
Vulnerability Analysis

Why Vulnerability Disclosure Timelines Still Vary Wildly ...

Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.

Aug 10, 20257 min read
Industry Analysis

2025 Bug Bounty Program Reforms: What Changed

From Microsoft's AI bounty expansion to the EU CRA's good-faith researcher protections, bug bounty rules of engagement shifted meaningfully in early 2025.

Feb 4, 20255 min read
Industry Analysis

The 2024 End-of-Year Vulnerability Disclosure Report

A look back at vulnerability disclosure in 2024: counts, severity distribution, time-to-patch, and the handful of incidents that shifted practice. Numbers, not narrative.

Dec 18, 20246 min read
Best Practices

Scoping a Vulnerability Bounty Program for Supply Chain

How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.

Oct 30, 20246 min read
Vulnerability Management

Coordinated Vulnerability Disclosure: A Complete Guide

Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that works for all parties, whether you are the reporter or the vendor.

Apr 28, 20247 min read
Guides

How to Write a Vulnerability Disclosure Policy Developers Respect

Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.

Apr 22, 20247 min read
Organizational Security

Vulnerability Disclosure Policy Template

A practical template for creating a vulnerability disclosure policy, with guidance on safe harbor provisions, response timelines, and researcher relationships.

Dec 20, 20237 min read
Industry Analysis

The Economics of Vulnerability Bounties: Who Wins and Who Loses

Bug bounty programs are a billion-dollar market. But the economics do not work equally well for everyone. A look at who benefits, who gets shortchanged, and what the numbers actually say.

Jul 15, 20236 min read
Open Source Security

Responsible Disclosure in Open Source: The Messy Reality

Responsible disclosure sounds simple in theory. In practice, coordinating vulnerability disclosure across open source projects with no budgets, no SLAs, and no obligation to respond is an exercise in patience and diplomacy.

Dec 22, 20227 min read
Open Source Security

Open Source Security Bounty Programs: Do They Actually Work?

Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complicated, with perverse incentives, quality problems, and funding gaps.

Aug 18, 20226 min read
vulnerability-disclosure (Page 2) — Safeguard Blog