Finding and communicating vulnerabilities is de rigeur for Black Hat speakers- and experiences vary wildly. For companies being notified, the maturity of their response is on a spectrum- no idea what to do, some have a security@ alias set up, others have a formal management process, others have fully funded bounty programs. Even the simple act of keeping researchers informed on a timely basis and making sure patches actually happen and are rolled out with proper notification is a huge hassle, with or without a bounty. Is it worth it? Managing disclosure is a minefield for both the researcher, and the company being notified. Join us in this session for a live discussion on the pro's and con's of a disclosure program, considerations for both the company and the researcher, and a discussion of the common pitfalls.