October is Cybersecurity Awareness Month 2025, a perfect time for security teams to reassess how they engage with the ethical hacking community. Embracing security through openness means inviting ethical hackers to probe your systems for vulnerabilities before cybercriminals do.

By welcoming outside researchers in a controlled way, organizations can find and fix vulnerabilities faster and strengthen their overall security posture. However, to collaborate effectively with ethical hackers, companies should set clear guidelines and channels.

Below, we outline five actionable steps to responsibly engage with ethical hackers. Let's dive in.

1. Publish a security.txt File for Easy Contact

One of the simplest ways to signal openness to ethical hackers is to publish a security.txt file on your website. This is a plain text file that gives security researchers a clear place to find vulnerability disclosure information. In practice, you place this file on your webserver with contact details and instructions. This way, if a researcher discovers a security issue, they won’t have to hunt for the right email or support form, the information is right there.

Lack of an obvious security contact can lead researchers to give up or assume a company doesn’t prioritize fixing issues. By contrast, a security.txt file invites reports and shows that you take security seriously.

A good security.txt file typically includes: a contact (an email address or web form URL for reporting issues), an encryption key link (optional, for secure communication), a policy link (to your full vulnerability disclosure policy, see next section), and an acknowledgments link (to your security hall of fame or thank-you page, see below). You should also include an expiry date so researchers know to trust the info only until it’s updated.

Large organizations like Google, Facebook, and GitHub already use security.txt, and governments worldwide endorse it as a standard. Yet many companies still haven’t adopted it. A 2025 survey actually found that 78% of tested tech companies had no security.txt in place. Publishing this file on your site is a quick win that immediately improves how easily ethical hackers can reach you.

2. Post a Clear Responsible Disclosure Policy

Next, create a dedicated responsible disclosure or vulnerability disclosure policy (VDP) page on your website.

This policy guides researchers on how to report vulnerabilities and sets expectations for the process. It should clearly outline how to submit a report (e.g. via email or a form, or through a platform as discussed later), what information to include, and what timeline to expect (for acknowledgment and fixes). Importantly, the policy must include legal safe harbor language: a promise that if researchers follow the rules and act in good faith, your organization will not take legal action against them. 

A lot of organizations include a statement along the lines of: “If you make a good faith effort to comply with this policy, we consider your research authorized and will not pursue legal action against you”. This reassurance is important, without it, well intentioned hackers might stay silent for fear of lawsuits.

A good disclosure policy also defines how you’ll handle the report. Describe what researchers can expect after they submit a bug: for instance, an acknowledgement within a certain number of days, a commitment to keep them informed of fix progress, and whether they are allowed to publicly disclose the issue after a fix (and under what timing). Using clear, simple language here builds trust.

In 2025, having a VDP isn’t just nice-to-have; it’s seen as somewhat of a standard.

The U.S. government now mandates that federal agencies have vulnerability disclosure policies, and many industry standards (like ISO 29147) recommend them. By publishing a clear policy with safe harbor, you create the rules of engagement that allow ethical hackers to help you, knowing they’re authorized and protected.

3. Leverage a Managed Bug Bounty or VDP Platform

Handling vulnerability reports can become challenging as submissions grow, that’s where managed platforms come in. Consider using a bug bounty or vulnerability disclosure platform like HackerOne or Bugcrowd to optimize the process. These platforms provide ready made infrastructure for receiving reports, communicating with researchers, and even coordinating rewards.

In 2025, thousands of organizations (from tech firms to banks and even the U.S. Department of Defense) rely on such platforms to run their programs. The benefits are clear: you tap into a large community of vetted hackers and get workflow tools to track and triage issues efficiently. HackerOne, for instance, reported over $77 million in bug bounties paid to researchers in the past year, a testament to how active and effective these programs are in finding bugs before bad actors do.

If running a full bug bounty (with cash rewards for findings) sounds daunting, you can start with a vulnerability disclosure program (VDP) on these platforms. A VDP is essentially an open invitation for reports without guaranteed bounties. Many platforms now even offer free or low cost tiers for basic VDP management. For example, in 2024, HackerOne launched a free essential VDP tier so that organizations of any size can host a disclosure program and provide a safe channel for researchers.

4. Maintain a Public Security Hall of Fame

Recognizing the contributions of ethical hackers is an easy, high impact practice.

Maintain a security hall of fame or acknowledgements page on your website where you publicly thank researchers who have responsibly disclosed vulnerabilities. This could be as simple as a list of names or aliases of contributors (with their consent) and maybe the date or a brief description of their find. Many companies do this to show appreciation, it costs nothing, but it means a lot to the researchers. Public acknowledgment provides researchers with recognition for their work, which can be valuable for their careers and reputation.

An example of this is Microsoft’s hall of fame located here.

Having a hall of fame also signals to the wider community that you welcome reports and that you handle them in good faith. It creates positive reinforcement: researchers see others being thanked and are encouraged to come forward with findings.

Make sure to link this page in your security.txt file and/or disclosure policy. (The security.txt standard even has an acknowledgments field specifically for this purpose). Over time, your hall of fame becomes a testament to your collaborative approach to security. It shows that your organization sees security researchers as partners, not pests, and that you’re willing to give credit where it’s due.

5. Define Scope: In-Scope vs. Out-of-Scope Targets

To welcome ethical hackers safely, it’s a good idea to set boundaries on what they can test. A clear scope definition is a cornerstone of any vulnerability disclosure or bug bounty program. This means explicitly listing which applications, domains, or systems researchers are allowed to probe (in-scope), and which are off-limits (out-of-scope).

By defining scope, you protect sensitive systems and prevent misunderstandings. You might designate your main product website and application programming interfaces (APIs) as in-scope, but declare that internal corporate networks or third-party services are out-of-scope. Always include any specific exclusions: common ones are denial-of-service attacks, automated spam or brute force against login forms, physical intrusions into offices or data centers, and social engineering of employees.

These activities often fall outside what you want researchers to do, either because they can cause harm or because they aren’t relevant to your threat model. Be as detailed as necessary. If certain domains or IP ranges are in-scope, list them. If others (like corporate email systems or anything involving personal customer data) are off limits, say so plainly.

Take Your Next Steps With Kindo

Security through openness is about collaboration, not confrontation.

When companies publish a security.txt file, set clear disclosure policies, define scope, and recognize researchers, they create an environment where ethical hackers can contribute effectively.

In 2025, the strongest security teams are those that engage with the hacker community instead of shutting it out. Openness builds trust, speeds up vulnerability discovery, and strengthens defenses over time.

Before launching a full bug bounty program, use Kindo to automate red team simulations and expose vulnerabilities early. It’s a practical way to prepare your environment, refine your processes, and make future hacker collaborations more effective.

Stay safe, and stay open to those who want to help.

‍