Which tracked vendors run a public security program — a paid bug bounty (great) or a vulnerability disclosure program (good). Both invite researchers to report flaws; a VDP rewards with recognition, a bounty adds cash. Either is a signal of proactive security investment, separate from CVE history.