There have never been more white-hat researchers hunting for vulnerabilities on internet-facing systems and yet barely any organisations provide a way for them to report the issues they find. In theory, the easiest way is to publish a Vulnerability Disclosure Policy (VDP), yet recent research here and here (PDFs) from bug bounty outfit HackerOne showed that only 7 per cent of Forbes 2000 companies advertise a process that could be as simple as providing an email address and PGP key.

Read full news article on The Register