3-page policy template on the responsible, ethical disclosure of vulnerabilities.
The policy encourages people to report any vulnerabilities or other information security issues they discover with the organisation's IT systems, networks, processes and people. Management undertakes to investigate and address reports using a risk-based approach, reducing the time and effort required for spurious or trivial issues, while ensuring that more significant matters are duly prioritised.
The policy distinguishes authorised from unauthorised security testing, and touches on ethical aspects such as hacking and premature public disclosure.
It allows for reports to be made or escalated to Internal Audit, acting as a trustworthy, independent function, competent to undertake investigations dispassionately. This is a relief-valve for potentially sensitive or troublesome reports where the reporter is dubious of receiving fair, prompt treatment through the normal reporting mechanism - for instance, reporting on peers or managers.
It is primarily intended as an internal/corporate security policy applicable to workers ... but can be used as the basis for an external policy to be published on your website. There are notes about this at the end of the template.
Supplied as an MS Word document, readily customised for your organisation's specific situation.
Responsible disclosure policy
Information security policy template on responsible disclosure
See also the policies on: