A hacker contacts your organization. They say they have found a major vulnerability in your software. What should you do? Are you under attack? What if the hacker asks for a “donation”? Vulnerability disclosure policies (VDP) and processes are increasingly built into regulations and standards, including PCI v4.0. This presentation will provide an overview of vulnerability disclosure best practices, differences between VDP and bug bounties, and how these practices fit within PCI 4.0 compliance.