Finding a vulnerability in someone else's system puts you at a fork. Handled well, responsible disclosure protects users, builds your reputation, and sometimes pays. Handled badly, the same finding gets you banned or sued. The core idea is simple: report the bug to the people who can fix it, and give them a fair window to do so before anything goes public. This lesson covers both sides of that, because most engineers end up on both: finding bugs in others' software, and receiving reports about their own.
Choosing how to disclose
| Approach | When it fits |
|---|---|
| Private | The default. Report, then wait. |
| Coordinated | The vendor is slow; you set a deadline, commonly 90 days. |
| Full disclosure | A last resort, after extended silence. |
| Bug bounty | When the organisation runs a programme. |
Finding who to tell
Look in the obvious places first: /.well-known/security.txt, a [email protected] address, a HackerOne or Bugcrowd page. If none exist, CERT/CC can coordinate on your behalf.
What "responsible" actually means
The ethics here are concrete, not vague. Stay on the right side of all of these:
- Discover within legal scope.
- Document with clear reproduction steps.
- Report through the preferred channel.
- Wait for acknowledgement.
- Don't exploit beyond what's needed to demonstrate the bug.
- Don't access real users' data.
- Don't disclose before the agreed timeline.
If you're chasing bounties
Read the scope before you touch anything. Testing outside it isn't a technicality, it can mean a ban or legal action. Rough bounty ranges, so you know what's at stake:
- Critical: $5k to $100k or more
- High: $1k to $15k
- Medium: $500 to $5k
- Low: $100 to $1k
A good report has a clear title, a one-line summary, a severity, reproduction steps, a proof-of-concept request and response, the real-world impact, and a suggested fix. The reports that get ignored share the same flaws: no reproduction steps, raw scanner output nobody verified, out-of-scope targets, excessive drama, and testing against real user data.
If you're the one receiving reports
Make it easy for a researcher to do the right thing, because the alternative is them going public or staying quiet while the bug sits open:
- Publish a
/.well-known/security.txt. - Write a disclosure policy that states the scope and offers safe harbour.
- Set up a secure channel to receive reports.
- Acknowledge within a day, triage within three.
That safe harbour clause matters more than it looks: "We will not pursue legal action against good-faith researchers" is what turns a nervous finder into a cooperative one. Respect scope when you're testing, and offer scope and safe harbour when you're the one being tested.
