Standing up coordinated disclosure
security.txt, intake, triage, and researcher comms — the disclosure process the CRA expects.
Standing up a coordinated vulnerability disclosure process, so a researcher's report reaches the right inbox and gets a real answer.
Publish security.txt
A machine-readable security.txt tells researchers where to report and how to reach you — the CRA expects a clear contact point, not a guess.
Take the report in
A dedicated intake channel captures each report with a reference, so nothing lands in a personal inbox and quietly dies.
Triage and validate
Reproduce, rate severity, and confirm which products and versions are affected — the same VEX decision your own monitoring uses.
Keep the researcher informed
Agree a disclosure timeline, credit the reporter, and coordinate the advisory so the fix and the public write-up land together.
It's live.
See the real thing at Proofwright.