SOC 2 vulnerability compliance in 5 minutes.
A security@ inbox isn't a vulnerability program. Kit gives you a structured VDP — security.txt auto-published, reports triaged, evidence ready for auditors. Free to start.
The problem with security@ email.
Every startup inherits the same broken workflow. Here's why it doesn't survive a SOC 2 audit.
Inbox chaos
Reports buried in threads, no SLA tracking, no CVSS scoring. When your auditor asks for evidence, you're searching through Gmail.
Auditor pressure
SOC 2 CC7.1 requires documented evidence of vulnerability monitoring. A Jira ticket isn't evidence. A timestamped audit trail is.
HackerOne starts at $22K/yr
Enterprise bug bounty platforms are built for enterprises. Startups need compliance now, not a 5-week procurement process and a six-figure contract.
Your AI runs triage. You run the program.
Kit's VDP ships with 21 MCP tools — the same AI infrastructure that manages your hiring pipeline now covers your entire vulnerability lifecycle.
21 tools. Full lifecycle coverage.
Read tools let your AI browse reports, check scope, detect duplicates, suggest severity, and pull metrics. Write tools let it triage, assess, respond, assign, and approve bounties — always with your confirmation.
Natural language triage.
Talk to your security data the same way you talk to your hiring data.
Everything you need. Nothing you don't.
Free features get you compliant today. The add-on takes you from compliant to confident.
security.txt + disclosure policy
RFC 9116-compliant security.txt auto-published at /.well-known/security.txt. Expiration alerts keep it current. Researchers know how to reach you.
Structured intake form + CAPTCHA
No more freeform emails. Every report captures title, description, CVSS vector, proof-of-concept, and impact — structured from the start.
Kanban triage + CVSS v3.1 + SLA tracking
Move reports from New → Triaged → Resolved with full status history. SLA timers fire automatically. Never miss a response deadline again.
Bounty pipeline + SOC 2 exports + AI agent
Pay researchers via ACH/wire with 1099 tax handling. Export audit evidence in one click. AI agent screens duplicates and drafts responses.
5 minutes to compliance.
Three steps. No procurement, no integration projects, no waiting.
Enable VDP in your Kit settings
Toggle on the VDP module. Your security.txt is published instantly at /.well-known/security.txt and your disclosure policy page goes live.
First report arrives — structured, not scattered
Researchers submit through a branded intake form. You see a clean report with CVSS score, not a forwarded email chain.
Upgrade when triage matters
Add the full triage module for $49/mo when you're ready for kanban boards, SLA tracking, bounty payments, and SOC 2 export.
Honest pricing.
Free gets you audit-ready. The add-on gets you audit-confident.
DIY / HackerOne
Plus 2–5 weeks of onboarding, custom integrations, legal review, and a dedicated program manager requirement.
Kit VDP
Full triage add-on from $49/mo
- security.txt auto-published
- Structured intake form + CAPTCHA
- Kanban triage + CVSS + SLA (add-on)
- SOC 2 audit exports (add-on)
Questions, answered.
We're too small for a bug bounty program.
A VDP isn't a bug bounty — you're not offering rewards. It's a documented, compliant channel for researchers to report vulnerabilities. SOC 2 Type II, cyber insurers, and enterprise customers increasingly require proof that you have one. Kit's free tier gives you exactly that, with no commitment to pay anything.
Won't this invite hackers to attack us?
Researchers are already probing your infrastructure — they just have nowhere legitimate to send what they find. A VDP gives them a sanctioned path and provides you legal safe harbor. Without one, a well-meaning researcher might go public rather than risk legal exposure. With one, they come to you first.
Can I run a private, invite-only program?
Yes. Switch your portal to invite-only mode in Security Portal Settings and Kit generates a secret access token. Share the invite URL directly with trusted researchers — it grants them a persistent session on click. Anyone else who visits the portal sees a short access request form instead of a dead end. Pending requests appear in your sidebar with a badge; one click approves the request and sends the researcher their invite link automatically.
We'll get flooded with spam and low-quality reports.
Kit's intake form includes CAPTCHA, rate limiting, and an AI screening layer that catches junk before it reaches your queue. In practice, more than 80% of noise is filtered automatically. You'll see real reports — not inbox chaos.
We could just build a web form ourselves.
A form gets you intake. It doesn't give you SLA tracking, CVSS scoring, status history, researcher communication threads, bounty payments, tax document handling, or one-click SOC 2 export. Kit bundles all of that — so you spend an afternoon deploying it, not an engineering sprint building it.
What about HackerOne when we grow?
HackerOne is excellent at $22K+/yr for teams that need a public researcher marketplace. Kit's VDP is built for the compliance-first stage before that. When you're ready to move up, Kit exports your full program history — report summaries, CVSS scores, SLA performance, communication logs, and financial ledger — as CSV or PDF. Clean, structured data from day one. No migration headaches.
See how SOC 2 exports workIs my VDP data portable if I leave Kit?
Yes. Kit's full account export packages every VDP record — programs, reports, assessments, messages, bounty awards, disbursements, researcher profiles, and AI screenings — into structured JSON. One click from Account Settings. You have 7 days to download the archive. Your security history is yours.
See what's included in a data exportThe window is narrowing.
EU Cyber Resilience Act (CRA) reporting obligations take effect September 11, 2026. US OMB M-26-05 now requires federal contractors to maintain a VDP. SOC 2 Type II auditors are flagging the absence of vulnerability monitoring programs. The cost of having a VDP is 5 minutes. The cost of not having one is growing.
Deploy your VDP in 5 minutes. Free.
No credit card required. security.txt published instantly. Upgrade when you need triage.