Your organization has just received a report from an independent security researcher, who claims to have discovered a vulnerability in one of your web applications. The researcher has provided detailed steps to reproduce the issue. What is the most appropriate initial response to this situation that aligns with responsible disclosure practices?
Immediately offer a reward to the researcher for finding the vulnerability.
Acknowledge receipt of the report and assure the researcher that their findings are being investigated.
Publicly thank the researcher on social media platforms to proactively manage public relations.
Ignore the report as it has not been verified by your internal security team yet.
The first step in a responsible-disclosure workflow is to acknowledge that you have received the researcher's report and let them know the matter is being investigated. Prompt acknowledgement opens a communication channel, shows good faith, and helps prevent premature public disclosure. Ignoring the report can drive the researcher to disclose the flaw, publicly thanking them before verification may draw unnecessary attention, and offering a reward before confirming the issue (or without a bounty program in place) is premature.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is responsible disclosure?
Open an interactive chat with Bash
Why is it important to acknowledge vulnerability reports quickly?
Open an interactive chat with Bash
What is a bug bounty program, and when should it be used?