Vulnerability Disclosure Overview
What Kit's VDP module is, who it's for, and what's included.
Why It Matters
Security researchers are already probing your systems. Unsolicited reports arrive via email, Slack, Twitter, and support tickets with no structure, no SLA tracking, and no audit trail. A Vulnerability Disclosure Program (VDP) organizes that influx instead of ignoring it.
Three converging mandates eliminate the “do nothing” option:
| Mandate | Requirement | Deadline |
|---|---|---|
| SOC 2 Type II (CC4/CC7) | Evidence of vulnerability monitoring and structured response process | Ongoing — auditors increasingly treat a formal VDP as standard evidence |
| EU Cyber Resilience Act (CRA) | Vulnerability reporting obligations for products with digital elements | September 11, 2026 |
| Cyber insurance carriers | Verifiable vulnerability management as a condition of coverage | Varies by carrier — tightening quarterly |
Kit’s VDP module is compliance infrastructure, not a bug bounty platform. The budget comes from your compliance/GRC allocation ($5-10K/yr), not your AppSec budget. The buyer is a CTO preparing for a SOC 2 audit, not a CISO building a crowdsourced security program.
For comparison: HackerOne starts at $22K/yr with weeks of scoping calls. Kit deploys a fully compliant VDP in under 5 minutes — free to start, and the VDP Add-on at $49/mo unlocks the full triage and bounty pipeline.
Who It’s For
| Persona | Goal | Primary Pain |
|---|---|---|
| Founder / CTO | Pass SOC 2 audit, unblock enterprise deals, comply with CRA | Enterprise platforms cost $22K+/yr; security@ inbox is chaos; manual PayPal payouts create tax liability |
| Security Team Member | Efficiently assess, route, and close vulnerability reports | Context-switching between email, Slack, and Jira; no standardized severity scoring; SLA breaches invisible |
| Security Researcher | Get acknowledged quickly, communicate clearly, receive fair payment | Ghosting by program managers; 30-90 day payout cycles; opaque triage process |
All three personas interact with the same program. Each section of these docs is labeled for the relevant audience.
How It Works
- Enable — Navigate to VDP > Program Settings and set your program status to Active. Your
security.txtfile is published automatically. - Publish — Set your program status to Active. Your submission form goes live and researchers discover you via
security.txtand your disclosure policy page. - Receive Reports — The structured intake form filters spam with rate limiting and CAPTCHA. Valid reports land in your triage board.
- Resolve — Triage the report, assess severity with CVSS v3.1, communicate with the researcher, fix the issue, and close the loop.
Program Statuses
| Status | Accepting Reports | Visible to Researchers | When to Use |
|---|---|---|---|
| Draft | No | No | Still configuring scope and policy |
| Active | Yes | Yes | Actively running your VDP |
| Paused | No | No | Temporarily suspending intake (e.g., during an incident) |
What’s Included
Free to start. Add the VDP Add-on ($49/mo) when you need structured triage, bounty payouts, or SOC 2 exports.
| Feature | Free | VDP Add-on ($49/mo) |
|---|---|---|
| security.txt (RFC 9116) | ✓ | ✓ |
| Disclosure policy page | ✓ | ✓ |
| Structured intake form + CAPTCHA | ✓ | ✓ |
| Reports/month | 25 | Unlimited |
| Basic email notifications | ✓ | ✓ |
| Kanban triage board | — | ✓ |
| CVSS v3.1 calculator | — | ✓ |
| SLA tracking & indicators | — | ✓ |
| Team assignment | — | ✓ |
| Deduplication | — | ✓ |
| Slack integration | — | ✓ |
| Custom email templates | — | ✓ |
| Researcher portal | — | ✓ |
| Metrics dashboard | — | ✓ |
| Hall of Fame | — | ✓ |
| Bounty approval | — | ✓ |
| Researcher payout info collection | — | ✓ |
| Tax document management (W-9/W-8BEN) | — | ✓ |
| Immutable financial ledger | — | ✓ |
| SOC 2 evidence export (CSV/PDF) | — | ✓ |
| API access | — | ✓ |
Annual pricing: $490/yr (save $98).
Quick Checklist
- Activate your program in VDP > Program Settings (set status to Active)
- Review default scope and adjust in-scope/out-of-scope targets
- Publish your program (status → Active)
- Verify
security.txtis served at/.well-known/security.txt - Share your submission URL (
/security/{program-slug}/reports/new) with your team so they know where reports go
Next Steps
- Configuring Your Program — scope, bounty matrix, SLAs, and all seven settings tabs
- security.txt Setup — RFC 9116 compliance, custom domains, and expiration management
- Navigate to VDP to enable your program and see pricing options