vulnerability-disclosure
Safeguard articles tagged "vulnerability-disclosure" — guides, analysis, and best practices for software supply chain and application security.
25 articles
What Is a CVE Numbering Authority (CNA)?
A CNA is an organization authorized to assign CVE identifiers to vulnerabilities in its scope. Here is how CNAs work and why they shape how fast a flaw becomes citable.
Best bug bounty and vulnerability disclosure platforms
A practical buyers guide to bug bounty platforms and vulnerability disclosure program software, comparing HackerOne, Bugcrowd, Intigriti, YesWeHack, and more.
Why Vulnerability Disclosure Timelines Still Vary Wildly ...
Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.
2025 Bug Bounty Program Reforms: What Changed
From Microsoft's AI bounty expansion to the EU CRA's good-faith researcher protections, bug bounty rules of engagement shifted meaningfully in early 2025.
The 2024 End-of-Year Vulnerability Disclosure Report
A look back at vulnerability disclosure in 2024: counts, severity distribution, time-to-patch, and the handful of incidents that shifted practice. Numbers, not narrative.
Scoping a Vulnerability Bounty Program for Supply Chain
How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.
Coordinated Vulnerability Disclosure: A Complete Guide
Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that works for all parties, whether you are the reporter or the vendor.
How to Write a Vulnerability Disclosure Policy Developers Respect
Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.
Vulnerability Disclosure Policy Template
A practical template for creating a vulnerability disclosure policy, with guidance on safe harbor provisions, response timelines, and researcher relationships.
The Economics of Vulnerability Bounties: Who Wins and Who Loses
Bug bounty programs are a billion-dollar market. But the economics do not work equally well for everyone. A look at who benefits, who gets shortchanged, and what the numbers actually say.
Responsible Disclosure in Open Source: The Messy Reality
Responsible disclosure sounds simple in theory. In practice, coordinating vulnerability disclosure across open source projects with no budgets, no SLAs, and no obligation to respond is an exercise in patience and diplomacy.
Open Source Security Bounty Programs: Do They Actually Work?
Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complicated, with perverse incentives, quality problems, and funding gaps.