# Vulnerability Disclosure and Bug Bounty Handling One-sentence definition: Process to receive, validate, remediate, and credit external vulnerability reports safely. ## Key Facts - Publish disclosure policy and contact; no legal threats to good-faith researchers. - Triage quickly; reproduce; prioritize risk; communicate timelines. - Coordinate patches and advisories; avoid exposing customer data. - Track metrics (time-to-first-response, time-to-fix); reward per policy. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose responsible disclosure process to reduce risk from unknown reports. **Mnemonic:** “**Hear**, **handle**, **heal**.” ## Mini Scenario Q: Researcher posts POC before fix—response? A: Engage, accelerate fix, publish advisory/mitigations, update policy. ## Revision Checklist - Two policy elements. - Two triage steps. - Metric examples. ## Related [[Reporting and Executive Summaries]] · [[Risk-Based Prioritization (CVSS EPSS Business Impact)]] · [[Web Application Testing (OWASP Top 10)]] · [[API Security Testing (OWASP API Top 10)]] · [[Domain 7 - Index]]