Skip to contentAbout Fig Group

Vulnerability Disclosure

Public intake, safe harbour enforcement, and 9-state governance for responsible disclosure.

Request a demoAll solutions

The challenge

Does this sound familiar?

Security researchers report vulnerabilities by email. Reports get lost in inboxes. There is no safe harbour policy. Disclosure timelines are missed. The process has no governance and no audit trail.

How Fig helps

Vulnerability Disclosure with Fig

Public Intake

Rate-limited API endpoint accepting anonymous vulnerability reports. Supports email, web form, API, and bug bounty platform channels. Reports routed to the right organisation automatically.

Safe Harbour Enforcement

12+ configurable policy controls governing scope, channels, SLAs, and lifecycle logging. Exploitation breach detection protects both researchers and organisations.

9-State Governance

Reported, Triaged, Remediation, Remediated, Verified, Disclosed, Closed. Each state transition logged with full audit trail. Severity reassessment with CVSS vector and rationale.

Disclosure Management

Disclosure timeline tracking with advisory URL linking. Coordinated disclosure with researcher communication. Metrics: MTTA, MTTR, SLA breach rate, and disclosure compliance rate.

Core Capability

Fig provides a public intake endpoint for vulnerability reports with rate limiting, safe harbour statement enforcement, anonymous reporting support, and severity-based remediation SLAs with coordinated disclosure timeline tracking.

Audit-ready workflow

How Vulnerability Disclosure becomes evidence

Vulnerability Disclosure should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.

Lifecycle

Where it sits in the operating model

The Respond phase is where this capability sits in the wider Fig operating model. Security researchers report vulnerabilities by email. Reports get lost in inboxes. There is no safe harbour policy. Disclosure timelines are missed. The process has no governance and no audit trail. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.

Evidence captured

What auditors and buyers see

For vulnerability disclosure, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.

Implementation checks

Four steps to roll this out

  • 01Define who owns vulnerability disclosure and what events should trigger review.
  • 02Connect the relevant source systems so evidence is collected continuously.
  • 03Map outputs to the frameworks and policies that matter to the organisation.
  • 04Review exceptions, accepted risks, and overdue actions before audit or renewal.

Useful references

Independent sources buyers and auditors recognise

The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.

External source
NCSC guidance for organisations
External source
NCSC Cyber Essentials overview
External source
ICO accountability framework
Fig Group
Fig platform overview
Fig Group
All Fig solutions
Fig Group
Discuss your framework scope

Built for you

Who uses this?

MSPs & MSSPs

Offer vulnerability disclosure programme management as a service. Standardised intake and governance across client portfolios.

Learn more

Security & risk teams

Run a compliant vulnerability disclosure programme meeting ISO 29147 and ISO 30111 requirements without a separate tool or manual email processes.

Learn more

Compliance & audit

Complete evidence of disclosure programme governance, researcher communications, remediation timelines, and lessons learned for regulatory review.

Learn more

Respond

Related solutions

Incident Management

Structured incident workflows with evidence capture and regulatory notification tracking.

Agentic Remediation

Policy-governed remediation that closes the gap between detection and resolution automatically.

Common questions

Frequently asked questions

Does this replace HackerOne or Bugcrowd?

For basic disclosure programmes, yes. Fig provides the governance layer - intake, triage, remediation tracking, safe harbour enforcement, and disclosure timeline management. For bug bounty programmes with financial rewards, you may use both.

How does the public intake API work?

A rate-limited endpoint (5 requests per IP per hour) accepts anonymous reports and routes them to the correct organisation. Researchers do not need an account. Reports include severity, description, and supporting evidence.

What is safe harbour enforcement?

Safe harbour protects researchers who report vulnerabilities in good faith. Fig enforces this through configurable policy controls that define what is in scope, acceptable testing methods, and researcher protections. Exploitation breach detection flags reports that cross the line.

Does this integrate with the vulnerability scanning module?

Yes. Disclosed vulnerabilities feed into the same 9-state governance workflow used for scanner findings. Remediation, verification, and closure follow identical governed processes.

What standards does this comply with?

ISO 29147 (Vulnerability Disclosure) and ISO 30111 (Vulnerability Handling). The workflow, policy controls, and audit trail are designed to meet these standards out of the box.

Next step

See Vulnerability Disclosure in action.

Book a walkthrough tailored to your frameworks and tooling.

Request a demoAll solutions