Metrics and Exports
How to read your VDP metrics dashboard, manage researcher karma, publish the Hall of Fame, and generate SOC 2 evidence exports.
Why It Matters
Metrics are the primary mechanism for proving VDP effectiveness to auditors. “We have a vulnerability disclosure program” is not sufficient evidence. “We acknowledged 100% of reports within 72 hours and resolved critical issues within 48 hours” is.
SOC 2 Type II evidence requires time-bounded data: reports received, SLA compliance rate, severity distribution, and resolution times. Kit’s metrics dashboard and export pipeline are designed to produce exactly what your auditor asks for — without a scramble at quarter-end.
Dashboard KPIs
Five headline metrics appear at the top of your VDP dashboard. These give you an at-a-glance health check every time you open the module.
| KPI | Description |
|---|---|
| Open Reports | Count of reports not yet resolved or dismissed |
| Awaiting Triage | Reports in Submitted status with no assessment |
| SLA Compliance % | Percentage of reports acknowledged within the configured SLA |
| Bounties Approved | Total approved bounty value this period (VDP Add-on only) |
| AI Flagged | Count of reports with an AI slop flag awaiting human review |
KPIs refresh on page load. There is no auto-refresh — reload the page or navigate back to see updated numbers.
Metrics Page
Navigate to VDP > Metrics for detailed analytics. Use the date range filter at the top to scope the data: last 7 days, 30 days, 90 days, or a custom range.
The metrics page is divided into eight sections:
| Section | What It Shows |
|---|---|
| MTTA (Mean Time to Acknowledge) | Average hours from submission to first response, across all reports in the period |
| MTTR (Mean Time to Resolve) | Average hours from submission to resolution, broken down by severity tier |
| SLA Compliance Trend | Line chart showing compliance percentage over time — look for downward trends before they become audit findings |
| Reports Over Time | Bar chart of submissions per week or month — useful for spotting seasonal patterns or disclosure spikes |
| By Severity | Breakdown of reports by severity tier (Super Critical through Informational) |
| By Status | Distribution of currently open reports across status columns (Submitted, Triaged, Validated, In Progress, etc.) |
| By Vulnerability Type | OWASP category distribution — shows which vulnerability classes your product is most exposed to |
| Top Researchers | Ranked by valid report count — identifies your most valuable external contributors |
All sections respect the selected date range. MTTA and MTTR are the two numbers your SOC 2 auditor will ask about first.
Researcher Karma
Kit tracks researcher quality over time using a karma system. Navigate to VDP > Researchers for the full researcher directory with karma tiers.
| Karma Tier | Meaning | Effect |
|---|---|---|
| Trusted | Consistently valid, high-quality reports | Reports fast-tracked in triage |
| Neutral | No strong signal either way | Standard triage flow |
| Low | History of low-quality reports | Reports pre-flagged for review |
| Untrusted | Pattern of spam or bad-faith submissions | Reports auto-flagged; optional auto-reject |
Karma adjusts automatically based on events tied to the researcher’s submissions.
Positive events (increase karma):
- Valid report submitted and resolved
- Bounty paid for a confirmed vulnerability
- Fix verified by the researcher
Negative events (decrease karma):
- Report dismissed as spam
- Report dismissed as duplicate
- Repeated pattern of not-reproducible submissions
- Appeal rejected after review
Karma tiers help your team prioritize triage. A report from a Trusted researcher can be fast-tracked with higher confidence. A report from an Untrusted researcher still enters the queue but is flagged so your team can apply appropriate scrutiny.
Hall of Fame Management
Navigate to VDP > Hall of Fame to manage the public researcher leaderboard. The Hall of Fame recognizes researchers who have contributed valid reports to your program.
Key rules:
- Researchers opt in from their portal — staff cannot force a researcher onto the leaderboard
- Staff can Feature a researcher, which pins them to the top of the public page
- Staff can Remove a researcher from the leaderboard, which overrides their opt-in
The public Hall of Fame is available at /security/{program-slug}/hall-of-fame. Share this URL in your disclosure policy to signal that you value researcher contributions. Most programs publish the Hall of Fame once they have five or more opted-in researchers.
Generating Exports
Navigate to VDP > Exports and click New Export to generate an auditor-ready evidence package. Exports require the VDP Add-on ($49/mo).
Configure the export with these filters:
| Filter | Options |
|---|---|
| Date Range | Start date and end date for the reporting period |
| Status | Filter by report status (e.g., only Resolved, or all statuses) |
| Severity | Filter by severity tier (e.g., Critical and High only) |
| Vulnerability Type | Filter by OWASP category |
Choose your format:
| Format | Best For |
|---|---|
| CSV | Machine-readable data for spreadsheets, further analysis, or import into GRC tools |
| Human-readable report formatted for auditors — includes headers, summaries, and tables |
Each export includes four sections:
| Section | Contents |
|---|---|
| Report Summaries | Report ID, title, status, severity, CVSS score, submission date, resolution date |
| SLA Performance | Per-report SLA status (on-track or breached), elapsed hours to acknowledgment and resolution |
| Communication Log | External messages only (researcher-facing communications, not internal notes) |
| Financial Ledger | Bounty approvals, disbursement records, and payout statuses for the period |
Exports are asynchronous. Kit processes the export in the background and emails you a download link when it is ready. Large exports covering several quarters of data may take a few minutes.
SOC 2 Evidence Workflow
The recommended workflow for SOC 2 Type II audits:
- At the end of each quarter, navigate to VDP > Exports and create a new export covering the quarter
- Select All statuses and All severities to capture the complete picture
- Choose PDF format for the primary evidence file and CSV as a supplement
- Download both files when the email arrives
- Attach them to your CC4 (Monitoring Activities) and CC7 (System Operations) evidence folders
Your auditor will look for three things in this export: that reports are being received and tracked, that SLA targets are being met consistently, and that the financial ledger shows a clean trail from bounty approval through disbursement. The export is designed to answer all three questions without additional preparation.
See Bounties and Payouts for details on the financial ledger that feeds into exports.
Quick Checklist
- Review Dashboard KPIs at the start of each week to catch SLA compliance drops early
- Check the Metrics page at the start of each quarter to confirm MTTA and MTTR trends
- Review researcher karma tiers to identify Trusted researchers for expedited triage
- Publish the Hall of Fame once you have 5+ opted-in researchers
- Generate a quarterly export for your SOC 2 CC4/CC7 evidence folder (VDP Add-on)
- Set a recurring calendar reminder to pull metrics before each SOC 2 audit window
- Cross-reference the Triaging Reports workflow if SLA compliance is trending down
Next Steps
- Triaging Reports — the full triage workflow, SLA indicators, and bulk operations
- AI Integration — ask the AI assistant for metrics summaries and SLA analysis