New Vulnerability Disclosure Policies Released by Blast Audit and SafePorter
Blast Audit and SafePorter Formalize Researcher Relations with New VDPs
Related Entities
Other
Full Report
Executive Summary
In a move that reflects a maturing approach to cybersecurity collaboration, two firms, Blast Audit and SafePorter, independently published new Vulnerability Disclosure Policies (VDPs) on February 15, 2026. These policies create a clear, authorized channel for security researchers to report vulnerabilities in the companies' products and services. Crucially, both VDPs include "safe harbor" clauses, which legally protect researchers from prosecution when their work is conducted in good faith and adheres to the policy's scope. The establishment of formal VDPs is a best practice that encourages responsible disclosure, helps companies discover and fix flaws faster, and builds trust with the security research community.
Policy Details
Both Blast Audit and SafePorter have adopted standard components for their VDPs, demonstrating an alignment with industry best practices.
Blast Audit's VDP:
- Scope: Clearly defines which of its assets and systems are in scope for testing.
- Reporting: Provides a dedicated form for submitting vulnerability reports.
- Safe Harbor: Explicitly states that the company will not pursue legal action against researchers for good-faith activities that comply with the policy.
SafePorter's VDP:
- Scope: Defines the scope as its DataProtected platform.
- Reporting: Details how to report a vulnerability and what information to include for it to be effective.
- Response SLA: Commits to acknowledging receipt of a report within five business days and maintaining open communication with the researcher.
- Out-of-Scope: Both policies clearly define prohibited activities, such as Denial of Service (DoS) attacks, social engineering, and physical security testing.
Importance of VDPs
A Vulnerability Disclosure Policy is a foundational element of a mature cybersecurity program. It serves several key functions:
- Provides a Clear Channel: Without a VDP, researchers may not know how to report a flaw, or may hesitate to do so for fear of legal threats. A VDP provides a clear, official
Timeline of Events
Timeline of Events
Blast Audit and SafePorter publish their new Vulnerability Disclosure Policies.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.