External researchers and hackers frequently find or even stumble upon vulnerabilities in an organization’s attack surface, and they need a way to submit their findings to internal security teams effectively. A Vulnerability Disclosure Program (VDP) is a structured way for organizations to receive and address security vulnerabilities discovered by external researchers and hackers. It ensures that these researchers can report their findings constructively before malicious actors can exploit them. 

Bugcrowd has produced an in-depth guide that outlines seven steps for implementing an effective VDP. In a recent webinar, Bugcrowd sat down with the State of California Department of Technology to learn more about its experience building its VDP. With Bugcrowd’s help, California implemented a highly successful VDP with no new staff or technology, using only its existing technology stack. Using insights from this webinar, we’ll explain how the State of California used the seven steps to implement its VDP, demonstrating how strategic investments in security can pay off big.  

The State of California’s VDP success

In 2021, the State of California launched a VDP program in partnership with Bugcrowd. Initially, the program focused on the state’s executive branch, but has since expanded to include non-executive entities such as city governments. Today, the VDP serves approximately 150 entities statewide—a large and comprehensive security feedback system for the entire state. 

The program has elicited several positive results, including:

• A large volume of vulnerability submissions: In 2023 alone, the program received 2,729 vulnerability reports, including 236 critical submissions. In 2024, it received another 1,072 submissions, with over 400 vulnerabilities successfully remediated by state agencies to date. 
• High researcher participation and satisfaction: The program has attracted 786 unique security researchers, creating a diverse pool of talent with expertise. When surveyed, security researchers gave the program positive feedback at a remarkable 10:1 ratio (the industry average is 5:1). This level of researcher satisfaction helps maintain engagement and continues to attract high-quality submissions.
• Fast turnaround time: California processes submissions three times faster than other industry programs, which contributes to researcher satisfaction. 
• Millions in cost savings: The program has helped the state identify vulnerabilities that could’ve caused millions of dollars of damages had they not been disclosed, based on state estimates. 
• Encouraged collaboration: The VDP created a hub for partnership across state entities and the hacking community, as well as established a model for public sector security cooperation.

Let’s examine how California implemented its successful VDP following seven key steps, as well as what we can learn from its approach.

1. Determine business goals

Before launching a VDP, you must identify what you want to achieve. For the State of California, the primary goal for the VDP was to source external perspectives to uncover hidden vulnerabilities. The state already had a solid statewide security operations center, but it needed more clarity about potential vulnerabilities across its vast digital infrastructure.

Furthermore, California had a few other goals with the VDP program, including: 

• Demonstrating security maturity
• Reducing risk across state systems
• Improving security ROI by connecting with external expertise, rather than expanding internal teams 
• Enhancing security transparency for citizens and stakeholders while meeting compliance requirements
• Helping internal teams prioritize security efforts based on real-world vulnerability data

2. Understand the three core components of a VDP

When California decided to start working on its VDP, it ensured that it outlined its approach with the three essential elements of a VDP.

First, it established a communication channel for researchers to submit vulnerability information by creating clear submission pathways for its diverse state systems.

Second, it developed an external-facing policy that set clear expectations for researchers. This policy established safe harbor provisions for those operating in good faith and provided specific instructions on reporting issues.

Third, it implemented a back-end process flow that determined how submissions would be validated and remediated. This included defining responsibilities, timelines, and escalation paths across different state entities.

3. Select a managed VDP platform

California partnered with Bugcrowd to implement its VDP, which proved crucial to its success. Initially, it considered building its own platform, but soon realized it would be a massive undertaking. As Conrad Long, California’s OIS Security Operations Chief, put it in the webinar, “You could try to go out, and you could find your researchers, you could design the specifications on how they’re gonna engage, what their behavior needs to be, what you’re gonna do with the information, how you’re gonna manage that, whether it’s a system or it’s some manual process or whatever. But we found that when we were working through this, it made a lot more sense to have help at the beginning, at least.” If you’ve never created VDP before, it really helps to have someone on board who has experience working with researchers and getting systems in place.

This partnership allowed California to leverage Bugcrowd’s expertise in designing submission processes, managing communications with researchers, and integrating with existing state systems. Working with Bugcrowd, California built its VDP on top of its existing technology without the need for new staff or tools.

The platform helped California manage the high volume of reports, reducing approximately 14,000 total submissions to around 4,000 valid reports by filtering out duplicates and non-actionable submissions. Without this capability, state resources would’ve been overwhelmed quickly.

4. Choose assets within scope

For a VDP (and especially for a bug bounty program), you must decide which assets are in scope for the program. For California, it was pretty straightforward. It decided that anything within cal.gov was within the VDP’s scope, including cities and smaller municipalities, not just state departments. This ensured wide coverage across state systems. 

Over time, it expanded relationships with non-executive branch entities to broaden its security umbrella further. The state’s approach demonstrates that even large organizations with complex digital footprints can implement broad-scope VDPs with the right support and processes.

5. Determine vulnerability reception methods

Establishing clear methods of accepting vulnerabilities is a significant driver of researcher participation and program effectiveness. Bugcrowd’s research shows that 58% of security researchers won’t report a vulnerability if there’s no clear channel to do so. 

The California Department of Technology partnered with the California Cybersecurity Integration Center, which serves as a hub for the state government’s cybersecurity events. Through this partnership and its partnership with Bugcrowd, it created one VDP form that accepts vulnerability submissions for external cities, municipalities, and various states. 

This structured approach helps route vulnerabilities to the appropriate teams while maintaining consistent processes. It also prevents researchers from feeling lost when reporting issues with different state entities––they simply can submit their findings to one place, then California can direct the report to the right recipient internally.

One other benefit of this approach is de-duping duplicate submissions. These submissions are notoriously difficult to manage, especially when the VDP receives 30–50 submissions for the same vulnerability. State teams save time through the platform’s de-duplication capabilities, grouping these submissions before handing them over to the team.

6. Establish management protocols

Once you’ve figured out how you’re going to receive vulnerabilities, you’ll need to determine how to triage and validate these incoming findings quickly and effectively. At the heart of California’s VDP is a 24/7 Security Operations Center with a team dedicated to higher-level triage. This team examines reports as they come in, ensuring they don’t sit in a queue, so that researchers receive prompt feedback. The most friction for researchers often occurs when they don’t hear back from the organization after disclosing vulnerabilities. Quick feedback is essential to maintaining researcher participation, a key component of a VDP program’s success.

To make this more efficient, the state implemented automation that was integrated into its existing technology stack, channeling vulnerability information directly into its SOC. According to Long, implementing similar capabilities would cost its customers approximately $2 million per year, but California avoided this expense through effective integration.

7. Commit to continuous improvement

A VDP isn’t a one-and-done process. When done effectively, a VDP creates a continuous feedback loop with builders and breakers. Since establishing the program a few years ago, California continues to refine its approach based on submission patterns, researcher feedback, and impact assessments. The VDP program has influenced state politics, informing new security requirements, such as the mandate that all California government entities with websites and email must migrate to the ca.gov domain by 2029.

The program also helps translate technical security information into language that resonates with decision-makers. Security teams often struggle to explain risks to purse holders who don’t have a background in security. California’s VDP provides concrete data that helps quantify risk, such as reporting the number of researchers who have found or validated a certain vulnerability.

Building on its success, California is templatizing its approach to help other government entities implement similar programs, hoping to create something that can be duplicated with predictable results and extending its success to other public sector organizations. Looking ahead, California plans to introduce Bug Bounty programs on various critical applications, offering financial incentives for identifying and responsibly disclosing vulnerabilities to enhance its proactive security efforts further.

Are you ready to implement a successful VDP?

Implementing a VDP doesn’t need to be a massive undertaking. As the State of California’s experience demonstrates, even large, complex organizations can establish effective programs with existing resources and technology. VDPs connect organizations with diverse expertise, help identify vulnerabilities before they can be exploited, and demonstrate your commitment to security.

Ready to get started? Learn about all of our VDP packages and start harnessing the power of the hacker community.