HackerOne is in the business of vulnerability disclosure and bug bounty programs\u2014helping customers to implement solid strategies for communicating and resolving vulnerabilities effectively. In an effort to help more businesses grasp vulnerability disclosure and coordination HackerOne released a free public benchmarking tool called the Vulnerability Coordination Maturity Model. VCMM for short.I spoke with Katie Moussouris, chief policy officer for HackerOne, to learn more about VCMM. As the concept of bug bounties gains more mainstream traction more organizations realize they need to have processes and policies in place to govern how vulnerabilities are communicated and managed. When Katie starts to dig in to learn where the company is right now, though, she finds that many have no clue what they\u2019re existing policies or capabilities are. The VCMM was created to give organizations a tool to benchmark where they are so they can identify and prioritize the areas that need to be improved. HackerOneTod Beardsley, security research manager at Rapid7, explained that there is a lot of confusion and misunderstanding about what to do when software vulnerabilities are discovered. \u201cThe Vulnerability Coordination Maturity Model is an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.\u201dBeardsley shared frustration over the lack of standards when it comes to communicating bugs. Although there has been a guideline in place for over a decade stressing the need for a standard method of communication Beardsley says that 7 out of 10 times he tries to send a message to firstname.lastname@example.org established standard for an email address for security communications\u2014he receives a bounced email error.\u201cNo software is immune to bugs; for most organizations it\u2019s not a matter of if they\u2019ll have an external hacker reporting security vulnerabilities, but when,\u201d said Katie Moussouris in a press release statement. \u201cThis maturity model shows how to build muscles and reflexes in vulnerability coordination to improve the security of an organization\u2019s software, and the outcome for all parties when vulnerabilities are disclosed."You don\u2019t need to be a vulnerability or security expert to take advantage of the VCMM. In fact, that\u2019s sort of the point. Beardsley praised the HackerOne tool and expressed confidence that VCMM is a solid step in the right direction. \u201cThe work that HackerOne has put into this document is clear, concise, and it shouldn't trigger the fear and anxiety that normally accompanies a one-off vulnerability disclosure that arrives out of the blue.\u201dDo you want to find out where your organization lies on the Vulnerability Coordination Maturity Model spectrum? Just visit HackerOne and answer a few questions to take advantage of the VCMM.