A Practice Note explaining how to implement bug bounty and vulnerability disclosure programs, including key concepts and legal considerations that may affect organizations and security researchers, such as the Computer Fraud and Abuse Act (CFAA), Digital Millennium Copyright Act (DMCA), and federal and state laws and regulator expectations for reasonable information security practices. It also addresses program design and operations, including developing a vulnerability disclosure policy and a vulnerability response and handling process, with tips for avoiding program abuses.