Vulnerability disclosure is a structured process through which security vulnerabilities are reported responsibly. A vulnerability disclosure policy describes how external security researchers can report flaws, which communication channels to use, and what response times apply. In an ISMS, such a policy is recommended to establish a clear reporting path. ISO 27001 Annex A.8.8 requires the management of technical vulnerabilities. A published disclosure policy signals maturity and openness toward the security community.