Communicating with Researchers
How to use message threads, customize email templates, configure Slack notifications, and handle escalations.
Why It Matters
Researchers judge programs on communication speed and clarity more than bounty amounts. A program that acknowledges reports promptly and provides transparent status updates earns trust — and trust brings higher-quality submissions. Centralized message threads keep every communication auditable for SOC 2 evidence, so no report falls through the email cracks.
Message Threads
Every report has a dedicated message thread. This is where all communication between your team and the researcher happens — no side-channel emails or Slack DMs to lose track of.
Each message has one of two visibility modes:
| Mode | Visible To | Use Case |
|---|---|---|
| External | Staff and researcher | Asking for reproduction steps, sharing status updates, coordinating fixes |
| Internal | Staff only | Engineering notes, triage discussion, severity debate |
Toggle the Internal switch before sending to keep notes off the researcher-facing view. Internal messages appear with a yellow background and an “Internal” badge in the thread so your team can distinguish them at a glance.
Messages support Markdown formatting — bold, lists, code blocks, and links all render correctly. All messages are timestamped and attributed to the sender. Once sent, messages cannot be edited or deleted. This immutability is intentional: it preserves the audit trail that SOC 2 auditors expect.
Sending a Message
- Open a report from the Triage Board
- Navigate to the Messages tab
- Compose your message in the text box
- Toggle Internal if this is a staff-only note
- Click Send
External messages trigger an email to the researcher with a magic link back to their portal. The researcher can reply from the portal, and their response appears in the same thread in real time.
Status transitions — such as moving a report to Needs Clarification or Validated — can automatically send a templated message to the researcher. Configure these templates in Email Templates to control what researchers see at each stage.
Email Templates
Navigate to VDP > Email Templates to customize the messages your program sends automatically. Kit uses a 3-tier template hierarchy:
- System defaults — Built-in templates that ship with every program. Read-only.
- Account overrides — Your customized versions that apply to all programs on your account.
- Program-level overrides — Templates scoped to a specific program (future).
The most specific template wins. If you create an account-level override for report_acknowledged, it replaces the system default for every program on your account.
Templates use Liquid syntax ({{ variable_name }}). Click the Preview button to see how a template renders with sample data before saving.
Template Types
Kit ships with 11 email templates, each triggered automatically by a specific event:
| Template | Trigger |
|---|---|
report_acknowledged |
Sent automatically when a researcher submits a report |
clarification_requested |
When report status changes to Needs Clarification |
report_validated |
When report status changes to Validated |
report_resolved |
When report status changes to Resolved |
fix_verification_requested |
When a retest is required before closing |
report_dismissed |
When a report is dismissed for any reason |
bounty_approved |
When staff approves a bounty amount |
payout_sent |
When a disbursement is marked complete |
escalation |
When a Critical or Super Critical report is triaged |
appeal_received |
When a researcher submits a dismissal appeal |
magic_link |
Portal login link sent to researchers |
Available Liquid Variables
Use these variables in your template subject lines and bodies:
| Variable | Description |
|---|---|
{{ researcher_name }} |
Researcher’s display name or handle |
{{ report_id }} |
Prefixed report ID (e.g., rpt_abc123) |
{{ report_title }} |
Title of the vulnerability report |
{{ program_name }} |
Your VDP program name |
{{ severity }} |
Assessed severity tier (e.g., High, Critical) |
{{ bounty_amount }} |
Approved bounty in formatted currency (e.g., $500.00) |
{{ portal_link }} |
Magic-link URL to the researcher’s portal |
{{ sla_hours }} |
Configured SLA hours for this severity level |
{{ dismissal_reason }} |
Reason code from the dismissal (e.g., Out of Scope, Duplicate) |
For example, a customized report_acknowledged template might look like:
Hi {{ researcher_name }},
Thank you for submitting a report to {{ program_name }}. Your report ({{ report_id }}) has been received and our team will review it within {{ sla_hours }} hours.
You can track your report status at any time:
{{ portal_link }}
Slack Notifications
Kit sends Slack notifications for key VDP events so your team stays informed without checking the dashboard.
Setup
- Navigate to Account Settings > Integrations > Slack and connect your workspace
- Open Program Settings and select which Slack channel should receive VDP notifications
Events
The following events fire Slack notifications. All are enabled by default when a channel is configured:
| Event | Default | Purpose |
|---|---|---|
| New report submitted | On | Alert the team to incoming reports |
| SLA at-risk warning | On | Flag reports approaching their SLA deadline |
| SLA breached | On | Escalate reports that missed their SLA |
| Critical/Super Critical severity triaged | On | Immediate awareness of high-severity findings |
| Bounty approved | On | Finance visibility into approved payouts |
| Appeal received | On | Alert when a researcher contests a dismissal |
All events go to the single Slack channel you configure in Program Settings.
Escalation
When a report is assessed as Critical or Super Critical, Kit triggers an escalation that bypasses normal notification preferences. This ensures your on-call team is notified immediately, regardless of individual notification settings.
Escalation fires two notifications simultaneously:
- Email — Sent to every address on the configured escalation list in Triage Settings, plus the report assignee. Uses the
escalationemail template. - Slack — Posts to the configured VDP channel regardless of per-event toggles. Even if you have disabled Slack notifications for other events, escalations always get through.
Configure escalation recipients in VDP > Program Settings > Triage. Add anyone who should be woken up for a Critical finding — your security lead, CTO, or on-call rotation alias.
Quick Checklist
- Customize the
report_acknowledgedtemplate with your program name and tone - Set up the
report_dismissedtemplate to explain why common dismissal reasons happen - Configure Slack integration so your team sees new reports in real time
- Add escalation email addresses for Critical and Super Critical reports
- Use Internal messages for engineering coordination; External for researcher-facing communication
Next Steps
- The Researcher Portal — what researchers see, how they submit, and how they appeal
- Bounties and Payouts — approving bounties, tax documents, and the financial ledger