CISA published guidance on establishing a coordinated vulnerability disclosure (CVD) program -- a formal process for receiving, triaging, and fixing security flaws reported by outside researchers before those flaws get weaponized or dumped publicly. The document lays out the basics: a clear reporting channel, a policy on what's in scope, response timelines, and a process for acknowledging researchers who report in good faith.
Most mid-market companies have no such front door. When a researcher finds a hole in your customer portal, your VPN, or your billing system, their only options are silence, a scattershot email to a generic inbox nobody checks, or Twitter. Every major breach post-mortem in the last decade has a variant of the same footnote: someone tried to report the issue weeks or months earlier and got ignored, stonewalled, or threatened with a CFAA letter. That's not a technical failure -- it's an organizational one, and it's entirely self-inflicted. Companies that build a CVD process turn hostile discovery into free, early warning; companies that don't turn every curious researcher into either a wasted tip or, eventually, a leak.
The SAL read: if a stranger finding a hole in your systems has no idea who to email, you've outsourced your incident response to whoever's patience runs out first.