Practice facilitating the reporting of vulnerabilities not yet widely adopted in Finland

How will I find out when someone else discovers a vulnerability in my organisation’s online service? How can my organisation agree on common rules with the discoverer of a vulnerability when we do not even know each other? Offering solutions to these challenges is a proposed new practice that involves organisations always publishing contact details and policies regarding vulnerabilities in the same place. This practice was studied in a thesis project carried out for the NCSC-FI. The resulting article also includes tips for publishing a security.txt file.