Do you need a vulnerability disclosure program? The feds say yes
The US Federal Trade Commission (FTC) and Department of Justice (DOJ) are signaling that in the future organizations must have some form of vulnerability disclosure program (VDP) that lets good-faith security researchers report bugs. Most organizations lack any kind of VDP at all. A recent HackerOne study found that 94 percent of the Forbes Global 2000 do not have any way for researchers to report security issues.