For this study, we searched for VDPs associated with Fortune 500 companies and flagship brands of those companies, much in the same way we would if we were about to disclose a vulnerability about those companies’ products or services. Specifically, we looked for the following, in this order:
- The presence of a VDP associated with all Fortune 500 companies (or flagship brands of those companies) listed on either Bugcrowd’s 31 or HackerOne’s 32 crowdsourced bug bounty lists, or in the Disclose.io 33 program database.
- The presence of a standardized security.txt file on each company or flagship brand website to facilitate the sharing of discovered vulnerabilities with website maintainers.
- An obvious pointer to, or indication of, a VDP offered by the candidate companies by Googling the terms “vulnerability,” “disclosure,” and “security” along with the company name and flagship brand.