The document discusses APNIC's creation and first year of operations of its Vulnerability Reporting Program (VRP). Some key points: - APNIC initially received vulnerability reports through various email addresses before creating its VRP. The VRP layout included guidelines for scope, reporting details, and a safe harbor policy. - Over the first year, the VRP received 73 reports, mostly for issues like XSS and information disclosure. Most reports came from a small number of frequent security researchers. - Based on lessons learned, APNIC now uses a vulnerability coordination vendor, HackerOne, to receive and triage reports. The VRP page was updated and the scope clarified. After a year, AP