This page is going to be a living document, more like a personal wiki than just a journal as I think out loud regarding bug-finders dislosure practicies and corresponding policies within organizations. I recently learned of a large financial organization who makes a practice of literally not responding to anyone who says they found a vulnerability in their product; to the point where they don’t even find out what the vulnerability is. I find this practice worrisome; particularly as a user of their products.I find that worrisome, but I wonder how many other organizations have that same policy ?
