Introduction #

coordinatedvulnerabilitydisclosure.org (previously responsibledisclosure.nl) is an initiative that originated from the mutual lack of trust between many well-intentioned hackers and organisations with vulnerable systems. With a clear policy example try to encourage collaboration between those hackers and organisations.

Hackers that are driven by curiousity discovering vulnerabilities often find themselves in a legal grey area. Even to well intentioned hackers there are often incentives to not report vulnerabilities. Organisations can be negligent in responsing to reports, communicate badly en blunty deny the findings. In more extreme circumstances organsiations can threaten the reporter with criminal or civil legal action. It is understandible that hackers might be discouriged from reporting discovered vulnerabilities.

Many organisations are not prepared to properly handle outside vulnerability reports. Reports can get stuck at a customer service department who are trained to deny problems instead of dealing with constructive criticism. Internally responibilities can be unclear leading to bad decision in folluwing up on a report.

When companies design processes for responding to vulnerabilities and clearly and publicly communicating their policy, hackers knwo what to expect and where to report vulnerabilities. By publishing such a policy I hope to help many hackers and organisations in improving this process.