Configuring Your Program
Step-by-step guide to all seven program settings tabs — scope, bounty matrix, SLAs, triage, payouts, spam, and security.txt.
Why It Matters
Good configuration is the difference between a credible VDP and a vague policy researchers ignore. Scope clarity protects your engineering team from off-topic reports, SLA targets keep your response times honest, and a well-defined bounty matrix sets researcher expectations before they submit.
Kit ships sensible defaults for every setting. You can go live immediately and tune later, but spending 15 minutes on configuration upfront will save you hours of misdirected triage.
Enabling VDP
Navigate to VDP to enable your program. Choose the Free tier to get started immediately, or the VDP Add-on ($49/mo) to unlock the full pipeline. You can upgrade anytime from Account Settings > Billing.
Once your program is created, navigate to VDP > Program Settings to configure it. Your program starts in Draft status — it will not accept reports until you set the status to Active.
General Tab
The General tab controls your program identity and disclosure policy.
| Field | Description |
|---|---|
| Program Name | Displayed on your disclosure policy page and researcher portal |
| Status | Draft, Active, or Paused — set to Active when configuration is complete |
| Disclosure Policy | Rich text field pre-populated with safe harbor language. Supports formatting, links, and lists. |
| Prohibited Actions | Actions researchers must not perform (e.g., social engineering, physical attacks, denial of service) |
Keep your program in Draft while you configure the remaining tabs. Switch to Active only when you are ready to accept submissions.
Scope Tab
Scope defines what researchers should and should not test. Vague scope generates vague reports — be specific.
| Field | Description |
|---|---|
| In-Scope Targets | Hosts, URLs, or IP ranges researchers should test (one per line). Example: app.yourcompany.com, api.yourcompany.com |
| Out-of-Scope Categories | OWASP-style category exclusions (e.g., “Denial of Service”, “Physical Attacks”) |
| Excluded Vulnerability Types | Specific vulnerability classes you will not accept (e.g., “Self-XSS”, “Missing rate limiting on non-critical endpoints”) |
If you leave in-scope targets empty, all targets are implicitly in scope. This is rarely what you want. At minimum, list your primary application domains.
Kit uses the scope configuration to validate incoming reports automatically. Reports targeting excluded vulnerability types or out-of-scope categories are flagged before they reach your triage board.
Bounty Matrix Tab
VDP Add-on — This tab requires the VDP Add-on ($49/mo). Free programs operate as no-bounty VDPs.
The bounty matrix defines payout ranges for each severity tier. Amounts are displayed on your disclosure policy page so researchers know what to expect.
| Severity | Default Min | Default Max |
|---|---|---|
| Super Critical | $5,000 | $10,000 |
| Critical | $1,500 | $5,000 |
| High | $500 | $1,500 |
| Medium | $150 | $500 |
| Low | $50 | $150 |
| Informational | $0 | $0 |
Adjust these ranges to match your budget and risk tolerance. When a CVSS assessment is recorded on a report, Kit automatically suggests a bounty amount within the matching tier’s range.
SLAs Tab
SLAs define your team’s response time commitments. The SLA clock starts at report submission. Your dashboard shows each report’s status as on-track, at-risk, or breached.
Acknowledgment SLA applies to all severities uniformly — it is the maximum time from submission to first response. Default: 72 hours.
Resolution targets vary by severity:
| Severity | Default Resolution Target |
|---|---|
| Super Critical | 24 hours |
| Critical | 72 hours (3 days) |
| High | 168 hours (1 week) |
| Medium | 336 hours (2 weeks) |
| Low | 720 hours (30 days) |
| Informational | 720 hours (30 days) |
Override any of these values to match your team’s capacity. Aggressive SLAs look good on paper but lose credibility if you routinely breach them. Set targets you can actually meet, then tighten them over time.
SLA indicators appear on each report card in the triage board:
- On Track (green) — less than 50% of the SLA window elapsed
- At Risk (yellow) — more than 50% of the SLA window elapsed
- Breached (red) — the SLA deadline has passed
Triage Tab
Triage settings control how incoming reports are routed and processed.
| Field | Default | Description |
|---|---|---|
| Default Assignee | None | Team member who receives new reports automatically. Set this to your primary security contact. |
| Escalation Severities | Critical, Super Critical | Severity tiers that trigger an escalation alert via email and Slack |
| Deduplication | Enabled | Flag potential duplicate reports before they reach your board |
| Require Retest | Off | Require researcher verification that a fix works before resolving |
| Max Appeals | 3 | Maximum number of appeals a researcher can file on a dismissed report |
If you do not set a default assignee, new reports appear unassigned on the triage board. Your team can still pick them up manually, but assignment ensures nothing slips through the cracks.
Escalation alerts are sent to the default assignee and posted to your configured Slack channel. Configure Slack integration under Account Settings > Integrations.
Payouts Tab
VDP Add-on — This tab requires the VDP Add-on ($49/mo). Free programs do not process payouts through Kit.
The Payouts tab configures how bounty disbursements are handled.
| Field | Default | Description |
|---|---|---|
| Supported Payment Methods | PayPal | Check the methods you support: PayPal, Bank Transfer, Crypto |
| Require Tax Documents | Yes | Researchers must upload a W-9 (US) or W-8BEN (international) before receiving payout |
| Require Agreement | Yes | Researchers must accept your disclosure agreement before payout |
| Minimum Payout | $50 | Researchers below this threshold are batched until cumulative earnings reach the minimum |
| Currency | USD | Currency for all bounty amounts and payouts |
Tax document requirements exist for your legal compliance. Disabling this setting means researchers can receive payouts without providing tax documentation — consult your finance team before turning it off.
Spam Tab
Spam settings protect your program from submission flooding and low-quality bulk reports.
| Field | Default | Description |
|---|---|---|
| Max Reports per Window | 5 | Maximum submissions per researcher within the rate-limit window |
| Window Duration | 5 minutes | Time window for rate limiting |
| Block Duration | 1 hour | How long a researcher is blocked after exceeding the limit |
| Cleanup Interval | 24 hours | How long spam records are retained before automatic deletion |
The defaults are conservative. If you find legitimate researchers hitting the rate limit, increase the window duration or raise the max reports threshold. If you are receiving heavy spam, shorten the window and extend the block duration.
Blocked researchers see a clear message explaining when they can submit again. Spam records are cleaned up automatically on the configured interval.
security.txt Tab
This tab configures the fields used to generate your /.well-known/security.txt file per RFC 9116. Kit serves this file automatically when your program is active.
| Field | Default | Description |
|---|---|---|
| Contact Email | None (required) | The email address researchers use to report vulnerabilities. Published in the Contact: field. |
| Expiration | 365 days | Days from generation until the security.txt expires. RFC 9116 requires an Expires: field. |
| Policy URL | Auto-generated | URL to your disclosure policy page. Defaults to your Kit-hosted policy. |
| Acknowledgments URL | None | URL to your Hall of Fame page, if enabled |
| Hiring URL | None | Link to your security team’s job postings |
| Encryption URL | None | URL to your PGP public key for encrypted communication |
You must set a contact email before your security.txt will be served. For full details on security.txt configuration, formatting, and verification, see security.txt Setup.
Quick Checklist
- Set program name and customize disclosure policy text
- Define in-scope targets and out-of-scope categories
- Configure bounty matrix (VDP Add-on) or acknowledge no-bounty program (Free)
- Set SLA targets per severity tier
- Assign a default triage owner
- Configure payout methods and tax requirements (VDP Add-on)
- Review spam thresholds
- Set contact email for security.txt
- Configure Slack integration for escalation alerts
- Set status to Active when ready
Next Steps
- security.txt Setup — detailed guide to RFC 9116 compliance and verification
- Triaging Reports — how to use the Kanban board, assess severity, and resolve reports