This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Vulnerability Disclosure Cheat Sheet

Revision as of 17:35, 19 June 2017 by Jmanico (talk | contribs) (initial effort)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Last revision (mm/dd/yy): 06/19/2017



This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.


- define the scope - check if company has

  • identified security contacts,

typical [email protected], [email protected], [email protected] (RFC2142)

  • a responsible disclosure web page
  • bug bounty program

Example platforms : hackerone, bugcrowd, synack,


It is recommended to use responsible disclosure when dealing with vulnerability - alert the company, multiple times and persons if needed - alert trusted 3rd party like National CERT, Data Privacy regulator if apply. For data breach, some security researchers like Brian Krebs or Troy Hunt can be intermediate too. - full/public disclosure Depending on you context, each step may have more or less

References + RFPolicy 2.0, Rain Forest Puppy, 2000 + Debating Full Disclosure, Bruce Schneier, Jan2007 + 7 Deadly Sins of Website Vulnerability Disclosure, Jeremiah Grossman, Jul 2007 + Notification and disclosure Policy (update), Thierry Zoller, Sep 2008 + Matt's Guide to Vendor Response, Talos, Dec 2009 + The responsibility of public disclosure, Troy Hunt, May 2013 + Approaches to Vulnerability Disclosure, Brad Antoniewicz, Jun 2014 + Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas, ERNW, ACM 2015 + Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations, ENISA, Jan 2016 FireEye takes security firm to court over vulnerability disclosure, sep 2015 Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch, nov 2016 Bug bounties and extortion, feb 2017

Authors and Primary Editors

OWASP Montréal, v0.3, Feb 2017éal

Other Cheatsheets