Companies are increasingly viewing external security researchers, sometimes referred to as ethical hackers, as potential allies who can assist in early identification of system and product vulnerabilities. Technologically sophisticated organizations are implementing vulnerability disclosure policies (VDPs) to provide a framework for interacting with, and receiving reports from, third-party security researchers. While VDPs have not yet become the norm, they are increasingly being embraced by savvy corporations, regulators and thought leaders as a best practice. In this guest article, Marshall L. Miller and Adam Sowlati, attorneys at Wachtell, provide an overview of the benefits of VDPs, outline the legal and regulatory landscape and highlight features of successful policies. See “Capital One Breach Demonstrates Risk of Overlooking Vulnerabilities When Sending Data to the Cloud” (Aug. 14, 2019).