A vulnerability disclosure policy sets the framework for security researchers and ethical hackers to identify and report security vulnerabilities or information on potential weaknesses in an organization's systems, networks, and applications. Ethical hackers can help organizations improve their security by identifying vulnerabilities through goodwill and without expectation of remuneration. Vulnerabilities are identified based on a threat actor's perspective, taking into account the mindset and intentions of malicious attackers. The policy establishes boundaries for engagement, guidelines, scope, process, and expectations for both parties involved. A responsible disclosure approach prioritizes risk reduction and minimizes the opportunity for exploitation, while full disclosure may be used as an option in cases where a vulnerability has not been successfully reported to the organization. Vulnerability disclosure policies bring value by prioritizing cybersecurity investments, better defending systems and data, and supporting the coordination of multiple vendors' efforts.