Coordinated Vulnerability Disclosure and VDP Programs
RCCE students will learn how organizations receive, validate, prioritize, and disclose externally reported vulnerabilities through structured vulnerability disclosure and researcher engagement programs. RCCE students will learn to draft intake policies, define safe harbor language, manage disclosure timelines, coordinate remediation, work respectfully with researchers, and publish accurate public advisories without increasing risk unnecessarily. The course covers practical scenarios ranging from report intake through validation, disclosure coordination, and public communication. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Coordinated Vulnerability Disclosure and VDP Programs
- Execute hands-on tasks for coordinated vulnerability disclosure
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Execute hands-on tasks for course structure — covering Level: Intermediate — AppSec domain.
- Execute hands-on tasks for why coordinated disclosure matters
- Execute hands-on tasks for uncoordinated risks
- Execute hands-on tasks for coordinated benefits — covering Controlled remediation timelines.
- Execute hands-on tasks for first psirt services framework
- Execute hands-on tasks for bug bounty
- Execute hands-on tasks for full disclosure — covering Open to all security researchers, Reward-based incentive model.
- Execute hands-on tasks for iso 29147 — disclosure — covering Defines how vendors receive reports, Establishes communication protocols.
- Execute hands-on tasks for iso 30111 — handling — covering Internal vulnerability handling process, Triage, analysis, remediation phases.
| Module 01 | Coordinated Vulnerability Disclosure |
| Module 02 | Course Overview |
| Module 03 | What You Will Learn |
| Module 04 | Course Structure |
| Module 05 | Why Coordinated Disclosure Matters |
| Module 06 | Uncoordinated Risks |
| Module 07 | Coordinated Benefits |
| Module 08 | FIRST PSIRT Services Framework |
| Module 09 | Bug Bounty |
| Module 10 | Full Disclosure |
| Module 11 | ISO 29147 — Disclosure |
| Module 12 | ISO 30111 — Handling |
| Module 13 | Integration Point |
| Module 14 | VDP Policy Design Principles |
All hands-on labs run on Rocheston Rose X OS. Students practice coordinated vulnerability disclosure and vdp programs by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for coordinated vulnerability disclosure
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for what you will learn
- Lab 4: Execute hands-on tasks for course structure
- Lab 5: Execute hands-on tasks for why coordinated disclosure matters
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Coordinated Vulnerability Disclosure and VDP Programs, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI