Earlier this month, a critical FaceTime security vulnerability was found by an ordinary 14-year-old and reported by his mother to Apple. The discovery of this bug, and the struggle to report it, serves as an eye-opener for many organisations. Responsible disclosure can be challenging, even for those operating an invite-only bug bounty programme, such as Apple. No company wants to be the last to hear about a critical vulnerability an end-user found in their product or website. So how can organisations better work with hackers to find their critical vulnerabilities fast? There are several best practices any company can follow to increase the chances for disclosure success.