Consider this hypothetical cybersecurity scenario: a researcher discovers a critical vulnerability in a widely used enterprise platform. Rather than exploit it, the researcher responsibly reports the issue. Within days, a patch is released—potentially saving thousands of organizations from compromise.
This wasn’t luck. It was the result of a clear, public Vulnerability Disclosure Policy (VDP) and a healthy relationship between the company and the security research community.
At Rubrik, we believe that kind of partnership is essential to software security. That’s why we maintain a public VDP as part of our broader commitment to the CISA Secure by Design Pledge. Security is never static, and no product is immune to flaws. A well-structured VDP empowers external researchers to help us discover and address issues faster—ultimately keeping our customers safer.
What Is a Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy (VDP) is a formal document that outlines how a company accepts and handles security vulnerability reports from external sources. It acts as a bridge between organizations and security researchers by providing:
A clear process for reporting suspected vulnerabilities
Defined expectations for both the reporter and the organization
Legal protections for good-faith researchers (often called safe harbor)
Why a Public VDP Matters
By publishing a VDP, a company invites collaboration and opens the door to continuous improvement. This delivers specific security benefits, including:
Stronger Security: Even the best security teams can’t catch every issue. A public VDP taps into the broader security community to identify vulnerabilities early—before attackers do.
Trust Through Transparency: Publishing a VDP signals a commitment to security and openness. It builds confidence with customers, partners, and researchers by encouraging responsible disclosure.
Regulatory Alignment: Regulators increasingly view VDPs as best practice. Offering legal safe harbor for good-faith research helps reduce legal risk and demonstrates mature security governance.
Streamlined Response: A clear process for receiving and triaging reports saves time and reduces confusion, helping security teams focus on fixing issues—not managing intake chaos.
What Makes an Effective VDP?
A strong VDP isn’t just a legal document—it’s a signal of maturity and collaboration. Key ingredients include:
Accessible Reporting Channels: Make it easy to report issues. Rubrik, for example, provides a specific web form to streamline submissions.
Defined Scope: Clarify which systems are in-scope for testing and what’s out-of-bounds. This helps researchers focus on relevant areas and avoids unnecessary disruption.
Communication and Acknowledgment: Confirm receipt of every report. Keep researchers informed of progress where appropriate, even if specific remediation details can't be disclosed.
Safe Harbor: Clearly state that you won’t pursue legal action against researchers who follow the rules and act in good faith.
Internal Triage and Remediation Process: While not always public, having a consistent internal playbook ensures reports are quickly validated, prioritized, and remediated.
Public Recognition (Optional): Many organizations choose to publicly thank researchers (with their permission). This fosters goodwill and continued engagement.
How Rubrik Approaches Vulnerability Disclosure
As part of our CISA Secure by Design commitment, Rubrik maintains a public Vulnerability Disclosure Policy grounded in trust, respect, transparency, and the common good. Here's how we bring those values to life:
Openness to Reporters: We accept reports from researchers, customers, partners, and the public—anyone acting in good faith.
Clear Scope Definitions: Our policy explicitly lists in-scope assets (including public-facing applications) via a dropdown selector, reducing confusion and guiding researchers toward productive targets.
Out-of-Scope Transparency: We’re equally clear about what’s not in scope—such as denial-of-service attempts, configuration suggestions, or issues dependent on outdated browsers—saving time for everyone.
Defined Reporting Process: We direct researchers to a single, secure web form for submissions, ensuring structured intake and consistent handling.
Commitment to Communication: We acknowledge every report we receive and work to keep lines of communication open with the reporter, while respecting internal confidentiality and security protocols.
Shared Responsibility and Respect: We ask researchers to approach their testing ethically and responsibly, mirroring the same commitments we make to them.
The Road Ahead
Rubrik’s public VDP reflects our belief that security is a shared responsibility. It’s not just a checkbox—it’s a living practice that helps us detect issues faster, respond more effectively, and strengthen the trust we build with our customers and community. We’ll continue evolving our disclosure practices as part of our Secure by Design outlook, enhancing transparency and collaborating with the global security community to raise the bar for enterprise software security.