Vulnerability Disclosure Program (VDP) Frequently Asked Questions (FAQ)

​​​​​​​The State of Maryland is committed to protecting the security and integrity of its digital infrastructure through the establishment of a statewide Vulnerability Disclosure Program (VDP)​.

This program provides a secure, coordinated, and lawful way for security researchers to report potential vulnerabilities in State systems, embodying a “see something, say something” approach to cybersecurity. By encouraging good-faith reporting, the VDP​ enhances the State’s ability to detect, remediate, and mitigate vulnerabilities before they can be exploited, strengthening overall enterprise vulnerability management and safeguarding State data and services. ​​

Report a​​ Vulnerability

​​General Questions

1. What is a Vulnerability Disclosure Program (VDP)?

A VDP provides a formal method for external security researchers to report vulnerabilities in good faith, enabling organizations to address them before malicious exploitation occurs.

2. Is a Bug Bounty program the same as a VDP?

Not exactly. A VDP is broader in scope, often ongoing, and does not include financial rewards. It focuses on responsible disclosure and improving overall security posture. Bug bounty programs are typically shorter in duration, offer financial rewards, and focus on finding high-severity vulnerabilities quickly. A VDP can be thought of as a cybersecurity “see something, say something” program.

3. What’s different about the VDP compared to current vulnerability reporting?

Before the VDP, researchers often had to send unsolicited emails hoping they’d reach the right contact. Sometimes those messages made it to the appropriate stakeholders—often they didn’t. A formal VDP provides a clear, reliable path for submitting reports and gives the State a standardized way to receive, verify, and act on them.

4. Who is our current VDP partner?

The State of Maryland's VDP is operated in partnership with Bugcrowd.

5. How was Bugcrowd selected to be the current VDP partner?

OSM developed a Small Procurement Request for Proposal (RFP) specifying the State’s intention to procure services in support of establishing a VDP. This RFP was released to the eMaryland Marketplace (eMMA) for competitive bidding. Proposals were evaluated according to standard competitive proposal evaluation criteria, and Bugcrowd was selected for award of the procurement.

6. Why partner with a third-party VDP provider?

Using a trusted partner like Bugcrowd gives the State of Maryland access to an established global researcher community, proven workflows, and scalable reporting infrastructure. This model increases researcher participation, improves triage efficiency, and allows us to focus on remediation while ensuring taxpayer value.

7. Who else has successfully implemented a VDP?

Federal agencies such as CISA and DoD, private sector organizations like Microsoft, Google, and Facebook, and many state and local governments, including California, Iowa, Ohio, Delaware, Minnesota, Idaho, New Jersey, Los Angeles, and Washington DC.

8. What is Safe Harbor?

Safe Harbor refers to a commitment to consider security research activities that were conducted in conformance with the VDP policy, to have been authorized and lawful and to convey that in the event a punitive action is commenced in connection with security research activities. It ensures researchers acting in good faith who follow the Rules of Engagement (ROE) are not penalized for discovering and reporting security vulnerabilities as part of the VDP. The State CISO holds responsibility for the interpretation of all researcher activity against the good faith standard.

9. ​ Is the VDP expensive?

No. The VDP is fully funded by OSM and designed to be a cost effective addition to The State of Maryland’s security posture. It provides broad coverage without adding financial burden to participating entities.

10. Does the VDP offer monetary rewards?

No. The VDP is a volunteer based, good faith reporting initiative. Monetary rewards are associated with bug bounty events, which may be launched separately. That said, we make a point to acknowledge researchers who submit high quality, impactful findings.

Scoping & Participation

11. What are the rules of engagement?

Participants must adhere to the defined program scope and prohibited activities, as outlined in the Maryland VDP briefing hosted by Bugcrowd​. Testing outside this scope or using unauthorized techniques is not permitted.

Researchers are expected to:

• ​Act in good faith and avoid causing harm to systems or users
• Cease testing immediately if sensitive data is encountered
• Report findings through the designated disclosure platform
• Keep vulnerability details confidential



By following these rules and staying within scope, researchers will be considered authorized participants and eligible for Safe Harbor protections.

12. ​ How do researchers participate responsibly in the VDP without causing harm to systems?

Most security researchers, especially those active in the vulnerability disclosure and bug bounty communities, are familiar with responsible testing practices. They operate within defined rules of engagement and aim to prove a vulnerability exists without exploiting it further. This limits system impact and aligns with ethical hacking and good-faith reporting principles.

13. How do researchers submit vulnerabilities?

Submissions may be made in one of two ways:

• ​​Through the web based reporting form on the State of Maryland VDP page.
• Submitting a vulnerability report to a dedicated State of Maryland VDP briefing hosted by Bugcrowd.


14. Is participation in the VDP required for covered entities?

Yes. All public facing systems owned or operated by or on behalf of State agencies, Local governments, public educational institutions, and other entities using networkMaryland or official State domains are in scope. The VDP facilitates the entities’ awareness of otherwise unknown vulnerabilities, is an essential element of an effective enterprise vulnerability management program, and is critical to the security of internet accessible State information systems.

15. How will remediation be enforced?

Findings reported through the VDP should be treated like any other security signal, for example, a vulnerability scan or an alert from an endpoint detection tool. The VDP simply adds another method for identifying and reducing risk.

While the formal directive includes language about enforcement actions, those are reserved for the most extreme situations. In practice, our approach to remediation is collaborative. Cybersecurity is a shared responsibility, and our goal is always to work together to address issues quickly and effectively.

If any entity needs support or resources to resolve a reported vulnerability, we’re committed to partnering closely to help get it addressed.

Process & Engagement

16. How are vulnerabilities triaged and validated?

Bugcrowd and OSM jointly review and triage submissions to confirm severity, exploitability, and validity. Only confirmed vulnerabilities are sent to asset owners for remediation.

17. What happens after a vulnerability is reported?

Once validated, OSM contacts the asset owner or responsible party to begin remediation. OSM support is provided throughout the reporting and remediation process.

18. How does the program support non-executive branch entities?

OSM provides validation, coordination, and technical subject matter expertise to help resolve issues efficiently, regardless of entity type.

19. Who pays for the program?

The program is fully funded and managed by the Office of Security Management (OSM). No cost of the VDP is passed down to entities or asset owners. If there are costs associated with the remediation of an identified vulnerability, those costs are the responsibility of the asset owner.

20. What if we can’t fix a reported issue quickly?

OSM will work with your team to prioritize the issue, develop a mitigation plan, and set realistic remediation timelines.

21. How are vulnerabilities tracked?

All submissions and researcher interactions are logged and tracked via the encrypted Bugcrowd platform.

22. ​ What if a reported vulnerability turns out to be a false positive?

False positives are identified during triage and closed with no action required by the agency.

Future & Vision

23. ​ Will the VDP expand in the future?

The program is intended to evolve over time based on results, feedback, and lessons learned. Expansion may include modifying scope or participation models.

24. Will Maryland host bug bounty events?

Maybe. While not scheduled currently, the State is open to planning future time-bound bug bounty events that offer compensation to vetted researchers.

25. How does the VDP align with statewide cybersecurity strategy?

The VDP reinforces Maryland’s proactive approach to cybersecurity, enhances digital resilience, mirrors industry and federal best practices, and supports the Moore-Miller administration’s commitment to modern, secure services.

26. How often is the VDP updated?

At minimum, the program will be reviewed annually. Updates to scope, rules of engagement, or reporting processes will be communicated to stakeholders as needed.

27. Where may I find additional resources?
    • External researchers: Please​ use the official Bugcrowd platform for all submissions and inquiries.
    • General inquiries: Contact us at [email protected].

To learn more visit the Vulnerability Disclosure Program’s Binding Operational Directives​.

If you believe you have discovered a vulnerability in a system covered by this program, please submit your report to the Vulnerability Disclosure Program​.