You are managing a bug bounty program for a financial-services institution. A researcher submits a report describing a critical vulnerability that allows unauthorized access to customer accounts via an insecure API endpoint. What is the first recommended action you should take after receiving this report?
Validate the vulnerability to confirm whether the finding is legitimate.
Publicly disclose the issue immediately to alert customers.
Acknowledge receipt of the report and inform the researcher that the issue is being triaged.
Reward the researcher for identifying the vulnerability.
Upon receiving a vulnerability report, best-practice guidelines for coordinated vulnerability disclosure require an immediate acknowledgement to the researcher. This confirms that the report reached the appropriate team, sets expectations for response times, and helps build trust. Only after the acknowledgement is sent should the security team begin detailed validation and severity assessment, followed by remediation planning and eventual reward determination.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to validate a vulnerability?
Open an interactive chat with Bash
What are insecure API endpoints and why are they a risk?
Open an interactive chat with Bash
What are the next steps after validating a vulnerability?