COMING 2026 | Pre-Registration Open Soon
The Vulnerability Disclosure Handbook
A Practitioner's Guide to Coordinated Vulnerability Disclosure
The definitive field guide for security professionals, product teams, and executives navigating one of the most high-stakes moments in modern security operations. Built from real incidents. Written for real pressure.
The Email Arrives. Most Teams Are Not Ready.
A researcher has found a security vulnerability in your product and is reporting it to you. That is actually good news. But in the next 24 hours, your response will either build lasting trust or trigger a public relations crisis that no patch will fix.
This book tells you exactly what to do.
20 Chapters. Every Phase of Disclosure. No Guesswork.
From building a vulnerability disclosure program before you need it,
to managing a 90-day countdown with a hostile researcher, to handling post-disclosure communications. The Vulnerability Disclosure Handbook covers the full lifecycle in three parts:
Build Before the Crisis
Security contact pages, disclosure policies, triage workflows. The infrastructure that makes every future report manageable. Most organizations build this after their first bad incident. You do not have to.
Manage the Disclosure
Communicating with researchers, setting timelines, coordinating with CERTs, negotiating extensions. Understanding what responsible disclosure actually obligates you to do, and what it does not.
Remediate and Recover
DVPM prioritization, patch coordination, CVE assignment, public advisories, post-incident review. How to close a disclosure cleanly, build researcher trust, and come out with your reputation intact.
DVPM: Prioritize What You Fix First
CVSS tells you how severe a vulnerability is. It does not tell you which one to fix first.
The Disclosure Vulnerability Priority Model (DVPM) is a practical prioritization framework developed from real-world remediation decisions. It accounts for four factors that raw CVSS scores cannot:
Exposure — How broadly is the affected component deployed? Internal only, customer-facing, or embedded in millions of devices?
Impact — What does exploitation actually enable, mapped to your specific deployment context?
Exploitability — Is there active exploitation in the wild? Proof of concept code available?
Real-World Signals — CISA KEV listings, threat intelligence feeds, researcher reputation.
The full DVPM methodology is covered in Chapter 5 of the Handbook.
About the Author
Chuck Davis has been working in cybersecurity since the late 1990s, when he joined IBM managing incident response, malware defense, and computer forensics. He went on to lead security at The Hershey Company, spent a decade as an adjunct professor teaching ethical hacking and cybersecurity at the graduate and undergraduate level, and now serves as VP and CISO for one of the world's largest manufacturers of IoT security devices.
He is the creator of NetBOM, a co-author of multiple IBM Redbooks, and holds 10 U.S. patents. He has built, managed, and responded to
vulnerability disclosure programs across multiple industries and geographies across more than 150 countries.
This book is the field manual he wished had existed at every stage of his career.
Who This Is For
Security Engineers and Analysts
The people triaging reports, writing advisories, and coordinating patches. This is your operational reference.
CISOs and Security Directors
Program builders and executive decision-makers. Policy templates, legal frameworks, and board-level communication guidance.
Product and Engineering Leaders
Responsible for software or hardware that ships to customers.
Understand your obligations before a report arrives.
Founders and Startup Teams
No security background required. This handbook walks you through every step from scratch.
Legal and Compliance Professionals
The regulatory landscape, safe harbor considerations, and the legal implications of disclosure timelines.
Security Researchers
See the vendor side of the process. Understand what happens to your report after you send it and how to maximize cooperation.
Be First to Know When It Launches
Join security professionals waiting for this book. Get notified at launch and receive free resources in the meantime. No spam.