In 2015, two US security researchers hacked a Chrysler Jeep as it sped down the highway, remotely sending commands to the dashboard through the car's entertainment system. They gained control of the steering, brakes, transmission, radio \u2013 even the windscreen wipers. Nobody was hurt; the researchers were merely demonstrating a security flaw to the slightly terrified Wired journalist behind the wheel. Their work led to the recall of 1.4 million Chrysler vehicles and showed that the car industry needed to get serious about security flaws.Roughly six months after the story was published, General Motors, in partnership with HackerOne, a bug bounty and disclosure portal provider, launched a vulnerability disclosure policy (VDP) in an effort to encourage ethical hackers to help them identify security flaws. \u201cIf you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,\u201d reads the page on HackerOne's platform. \u201cPlease submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\u201dHow common is a vulnerability disclosure policy (VDP)?This open-door approach to ethical hacking is still far from the norm. HackerOne's 2018 Hacker Report, which surveyed 1,698 members of the hacking community, found that almost one in four ethical hackers have not reported a vulnerability because the company in question doesn't have a VDP. Those who'd tried to notify the company through other channels, such as email or social media, also claimed they were \u201cfrequently ignored or misunderstood\u201d.The situation is slowly improving: 72 percent of the respondents in the report said companies were becoming more open to receiving information on vulnerabilities. But 94 percent of the Forbes Global 2000 still haven't published a VDP \u2013 something they may come to regret.\u201cIf somebody outside of your company knows about a security issue that your team doesn't know about, that's a big risk because that unpatched vulnerability could be exploited by a criminal,\u201d says Michiel Prins, co-founder of HackerOne. \u201cIf you don't have a vulnerability disclosure policy in place, you will always have that exposure.\u201dUnlike bug bounty programs, VDPs don't offer ethical hackers a financial reward for finding security flaws, but they can still be incredibly effective. The US Department of Defense, for example, has reportedly received and resolved nearly 3,000 vulnerabilities thanks to its VDP.Google, Microsof,t and Apple have also used VDPs for many years, and they have mature processes in place to deal with reports of vulnerabilities. New entrants to the software market, or companies whose operations have recently become intertwined with the internet (such as car manufacturers), might not realize they need one.\u201cUntil that first [external] report comes in, a lot of organizations just aren't watching for them,\u201d says Art Manion, vulnerability analysis technical manager in the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and co-author of the CERT Guide to Coordinated Vulnerability Disclosure.What should a VDP include?A VDP effectively gives ethical hackers, research teams, academics and other external parties permission to remotely access the systems outlined in the policy and dig around for vulnerabilities. A safe harbor assurance is particularly important to hackers and researchers, who are effectively putting themselves at risk by notifying an organization of a security flaw.\u201cIt\u2019s a kind of assurance to the ethical hacker community that when they act in good faith, and they follow the rules of your program, there will be no penalty or law enforcement involvement,\u201d says Prins.Aside from this assurance, \u201cScope is, hands down, the most important component of a VDP,\u201d says Kimber Dowsett, a security architect currently serving at 18F, a specialized technology division within the US General Services Administration, who drafted the organization\u2019s first vulnerability disclosure policy. \u201cIt\u2019s important to determine \u2013 and clearly state \u2013 which assets are up for grabs.\u201dWhen deciding this, organizations must consider data sensitivity, the resources available for remediation, and the overall stability of the asset, she explains. \u201cIt doesn\u2019t make any sense to have unstable or untested assets in scope, particularly if those assets house sensitive data.\u201dAs HackerOne detail in their guide to the critical components of a VDP, a VDP should also include clear instructions for how to report a vulnerability and what information should be included in their submission. In addition, it should open with some sort of explanation for why the company has chosen to publish it (typically their commitment to security); an indication of when the person reporting the vulnerability can expect a response; a promise of credit for finding the flaw; and if and when they have the organization\u2019s blessing to publicly disclose it.\u201cEven just saying it takes us on average 48 hours to fix things, or three months to fix things can help to set expectations. That kind of expectation setting goes a long way towards not having an accidental disclosure later on,\u201d says Manion.How can companies make this work in practice?Putting all this information together and publishing it online is a relatively straightforward process. \u201cThe VDP itself can be created from available open source templates or existing policies,\u201d says Dowsett, \u201cthrough a vendor who specializes in VDPs (bug bounty providers are a great start), or with your organization\u2019s legal team following the guidelines established by the Department of Justice [in the US].\u201dHowever, putting processes in place internally to deal with the vulnerabilities people report requires a bit more time and effort. \u201cWhen your security team receives the report, they need to identify whether it's a valid vulnerability, and find out which team inside the company is responsible for mitigating the risk before handing it off to them to resolve,\u201d says Prins.\u201cDefining and implementing a VDP requires collaboration from several different teams to make sure that introducing the policy doesn\u2019t open a floodgate of reports that your organization may or may not be in a position to fix before researchers publish their findings publicly,\u201d says Dowsett. \u201cYou will almost certainly receive out-of-scope reports, but it\u2019s a lot better than hearing about your vulnerabilities via social media posts.\u201dThe massive Equifax data security breach last year showed that a laissez-faire approach to vulnerabilities can have devastating business consequences, and the UK Government recently announced that infrastructure firms that fail to protect themselves effectively from cyberattacks will soon face fines of up to \u00a317 million [$24 million]. All of which means that VDPs, to borrow a phrase from the car industry, are more likely to come as standard in future, rather than being treated as an optional extra.