The CERT-In Vulnerability Disclosure Policy, operationalized under the Information Technology Act, 2000, provides a structured mechanism for responsible disclosure of security vulnerabilities affecting Indian cyberspace. It establishes timelines, communication protocols, and safe harbor provisions for security researchers who discover and report vulnerabilities to affected organizations through CERT-In's coordination. The policy mandates that organizations acknowledge, validate, and remediate reported vulnerabilities within stipulated timeframes while maintaining confidentiality until patches are deployed. CERT-In acts as the central coordinating agency, facilitating communication between researchers and vendors, issuing advisories, and tracking remediation progress to strengthen India's cyber defense posture.

• Provides legal protection and safe harbor to ethical hackers and security researchers reporting vulnerabilities through official channels, reducing risk of prosecution under IT Act Section 43
• Establishes standardized vulnerability disclosure timelines (30-90 days based on severity) ensuring critical security flaws in government and private sector systems are addressed promptly
• Creates a centralized repository of vulnerability intelligence specific to Indian digital infrastructure, enabling proactive threat mitigation across sectors
• Facilitates coordinated disclosure preventing premature public exposure of unpatched vulnerabilities that could be exploited by malicious actors
• Strengthens India's cybersecurity ecosystem by institutionalizing collaboration between white-hat hackers, organizations, and CERT-In for continuous security improvement

• Many Indian organizations lack dedicated security response teams or Points of Contact (POCs) registered with CERT-In, causing delays in vulnerability acknowledgment and patch deployment
• Absence of mandatory bug bounty programs or financial incentives leads to underreporting of vulnerabilities, with researchers preferring international platforms offering rewards
• Limited legal clarity on the extent of testing permitted during vulnerability research, causing researchers to fear IT Act Section 66 prosecution despite safe harbor provisions
• Poor adherence to disclosure timelines by private sector entities, with several cases of vulnerabilities remaining unpatched beyond 90 days without penalties or enforcement mechanisms
• Inadequate public awareness about the policy among SMEs and startups, resulting in defensive postures and occasional legal threats against researchers reporting flaws

• In 2022, security researchers discovered critical vulnerabilities in multiple Indian government portals including Aadhaar-linked services and reported them through CERT-In's coordinated disclosure process, resulting in patches deployed within 45 days across affected systems without public exploitation.
• The Juspay data breach incident in 2021 exposed vulnerabilities affecting payment gateway data of over 10 crore users; subsequent CERT-In directives mandated enhanced vulnerability management and periodic security audits for fintech platforms under coordinated disclosure norms.
• In 2023, a white-hat hacker reported API vulnerabilities in a major Indian airline's booking system through CERT-In channels, but faced initial legal notices from the airline before CERT-In intervention clarified safe harbor provisions, highlighting awareness gaps among private entities.

• Establish mandatory bug bounty programs for all critical information infrastructure entities and government digital services with minimum reward thresholds to incentivize responsible disclosure
• Implement automated vulnerability tracking dashboards with public status updates (excluding technical details) to increase transparency and accountability in remediation timelines
• Conduct regular training programs for legal and security teams in Indian organizations on safe harbor provisions, acceptable researcher conduct, and coordinated disclosure protocols to reduce friction
• Develop sector-specific vulnerability disclosure guidelines for banking, healthcare, and telecom with differentiated timelines and reporting formats tailored to industry risk profiles and regulatory overlaps with RBI, IRDAI, and TRAI