Most digital security incidents are caused by malicious actors (e.g. cybercriminals and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems. Addressing vulnerabilities before attackers take advantage of them is an effective means of reducing the probability of cybersecurity incidents. This paper discusses vulnerabilities in products’ code such as software and firmware, and in how products are implemented in information systems. It shows that the technical community has progressed in developing good practice for treating vulnerabilities, including through co-ordinated vulnerability disclosure (CVD). However, significant economic and social challenges prevent stakeholders from adopting good practice, such as legal frameworks that do not sufficiently protect “ethical hackers” from legal proceedings. The paper stresses that public policies aimed at removing obstacles and encouraging vulnerability treatment could significantly reduce digital security risk for all. The findings from this paper will inform the development of a new OECD Recommendation in this area.