Communicating with Researchers
How to use message threads, use reply templates in the composer, configure Slack notifications, and handle escalations.
Why It Matters
Researchers judge programs on communication speed and clarity more than bounty amounts. A program that acknowledges reports promptly and provides transparent status updates earns trust — and trust brings higher-quality submissions. Centralized message threads keep every communication auditable for SOC 2 evidence, so no report falls through the email cracks.
Message Threads
Every report has a dedicated message thread. This is where all communication between your team and the researcher happens — no side-channel emails or Slack DMs to lose track of.
Each message has one of two visibility modes:
| Mode | Visible To | Use Case |
|---|---|---|
| External | Staff and researcher | Asking for reproduction steps, sharing status updates, coordinating fixes |
| Internal | Staff only | Engineering notes, triage discussion, severity debate |
Toggle the Internal switch before sending to keep notes off the researcher-facing view. Internal messages appear with a yellow background and an “Internal” badge in the thread so your team can distinguish them at a glance.
Messages support Markdown formatting — bold, lists, code blocks, and links all render correctly. All messages are timestamped and attributed to the sender. Once sent, messages cannot be edited or deleted. This immutability is intentional: it preserves the audit trail that SOC 2 auditors expect.
Sending a Message
- Open a report from the Triage Board
- Navigate to the Messages tab
- Compose your message in the text box
- Toggle Internal if this is a staff-only note
- Click Send
External messages trigger an email to the researcher with a magic link back to their portal. The researcher can reply from the portal, and their response appears in the same thread in real time.
Some status transitions — such as acknowledging a report, requesting clarification, or marking it Validated — also send an automatic email to the researcher. These automatic emails use fixed, built-in templates that ship with Kit and are not editable in the app. To control your own outbound wording, use the Message Templates that pre-fill the reply composer (see below).
Message Templates
Message Templates seed the reply composer when your team manually replies to a researcher from a report’s Messages tab. They do not change the automatic system emails (acknowledgment, status-change notifications, magic link, and so on) — those are rendered from fixed, built-in templates.
When you compose a reply and pick a reply intent (Acknowledge, Clarify, Validate, Dismiss, or Bounty offer), Kit resolves the matching template and uses it to pre-fill your draft (and to seed the AI-assisted draft, which falls back to the template text if the AI is unavailable). You stay in control: nothing is sent until you review and click Send.
Navigate to VDP > Message Templates to customize them. Kit uses a 3-tier template hierarchy:
- System defaults — Built-in templates that ship with every program. Read-only.
- Account overrides — Your customized versions that apply to all programs on your account.
- Program-level overrides — Templates scoped to a specific program.
The most specific template wins. If you create an account-level override for report_acknowledged, it replaces the system default for every program on your account — for the purpose of pre-filling the reply composer, not the automatic acknowledgment email.
Templates use Liquid syntax ({{ variable_name }}). Click the Preview button to see how a template renders with sample data before saving.
Template Types
Kit defines 11 template types. Five are currently wired to the reply composer — picking the corresponding intent pre-fills your reply with that template:
| Template | Reply intent (composer) |
|---|---|
report_acknowledged |
Acknowledge |
clarification_requested |
Clarify |
report_validated |
Validate |
report_dismissed |
Dismiss |
bounty_approved |
Bounty offer |
The remaining types — report_resolved, fix_verification_requested, payout_sent, escalation, appeal_received, and magic_link — exist as template types but are not currently wired to any send path or composer intent, so editing them has no visible effect yet.
Available Liquid Variables
Use these variables in your template subject lines and bodies:
| Variable | Description |
|---|---|
{{ researcher_name }} |
Researcher’s display name or handle |
{{ report_id }} |
Prefixed report ID (e.g., rpt_abc123) |
{{ report_title }} |
Title of the vulnerability report |
{{ program_name }} |
Your VDP program name |
{{ severity }} |
Assessed severity tier (e.g., High, Critical) |
{{ bounty_amount }} |
Approved bounty in formatted currency (e.g., $500.00) |
{{ portal_link }} |
Magic-link URL to the researcher’s portal |
{{ sla_hours }} |
Configured SLA hours for this severity level |
{{ dismissal_reason }} |
Reason code from the dismissal (e.g., Out of Scope, Duplicate) |
For example, a customized report_acknowledged template might look like:
Hi {{ researcher_name }},
Thank you for submitting a report to {{ program_name }}. Your report ({{ report_id }}) has been received and our team will review it within {{ sla_hours }} hours.
You can track your report status at any time:
{{ portal_link }}
Email Branding
All researcher-facing emails are automatically branded with your account’s identity. This builds trust with reporters by matching the emails to your security portal’s look and feel.
What’s Branded
| Element | How It Works |
|---|---|
| Sender name | Emails arrive from your program name (e.g. “Acme VDP”) instead of the platform name |
| Logo | Your account logo appears in the email header |
| Accent color | CTA buttons use your brand’s primary color |
| Footer | Shows your program name alongside a small “Sent via Kit” attribution |
Configuration
Email branding inherits from your account-wide appearance settings. Navigate to Account Settings > Appearance to configure your logo and primary color. The same branding applies to your career portal, security portal, and now all researcher notification emails.
No per-template branding configuration is needed. Once you set up your account branding, all 11 researcher email types use it automatically.
If no logo is uploaded, emails display your program name as text. If no branding is configured at all, emails use the default platform styling.
Slack Notifications
Kit sends Slack notifications for key VDP events so your team stays informed without checking the dashboard.
Setup
- Navigate to Account Settings > Integrations > Slack and connect your workspace
- Open Program Settings and select which Slack channel should receive VDP notifications
Events
The following events fire Slack notifications. All are enabled by default when a channel is configured:
| Event | Default | Purpose |
|---|---|---|
| New report submitted | On | Alert the team to incoming reports |
| SLA at-risk warning | On | Flag reports approaching their SLA deadline |
| SLA breached | On | Escalate reports that missed their SLA |
| Critical/Super Critical severity triaged | On | Immediate awareness of high-severity findings |
| Bounty approved | On | Finance visibility into approved payouts |
| Appeal received | On | Alert when a researcher contests a dismissal |
All events go to the single Slack channel you configure in Program Settings.
Asking KitBot About Reports
Once Slack notifications are flowing, you can mention @KitBot in your VDP channel to ask questions without opening Kit. Where you mention it — and what you ask — determines what it answers (see Using @KitBot in Slack for the full picture):
- In a thread under any VDP notification (new report, bounty approved, SLA warning) — KitBot answers about that specific report: status, summary, timeline, SLA state, duplicate checks, severity context, and how the bounty compares to your matrix.
- Top-level in the channel — KitBot answers program-wide questions: SLA breaches, open report counts, and metrics.
Example Prompts
@KitBot is this report closed?
@KitBot summarize the timeline and current SLA state
@KitBot any SLA breaches right now?
KitBot is read-only in VDP channels. It cannot triage, assign, dismiss, message researchers, or approve bounties — for those actions it links you to the report in Kit.
To get answers, your Slack profile email must match your Kit account email, and your account needs an active VDP program. If the emails don’t match, KitBot sends you a private note explaining how to fix it instead of sharing report data.
Escalation
When a report is assessed as Critical or Super Critical — or any severity you mark as escalating — Kit fires an escalation notification to your configured VDP Slack channel. This post goes out regardless of your per-event Slack toggles: even if you’ve disabled Slack notifications for every other event, escalations still get through, so your on-call team is alerted immediately.
Important
Escalation is delivered over Slack only. There is no escalation email list. Triage Settings let you choose which severities escalate (and set a default assignee), but not who to email — so escalations reach your team only if a Slack channel is connected. If you haven’t connected one, escalations currently have no delivery channel. Connect Slack (see Slack Notifications above) to make sure Critical findings reach someone.
To choose which severities trigger an escalation, go to VDP > Program Settings > Triage and set your escalation severities. Use the Slack channel selector in Program Settings to control where the alert lands.
Quick Checklist
-
Customize the
report_acknowledgedreply template so the composer pre-fills your program’s tone -
Set up the
report_dismissedreply template to explain common dismissal reasons - Configure Slack integration so your team sees new reports in real time
- Mention @KitBot in a thread under a VDP notification to test report Q&A
- Connect a Slack channel so Critical and Super Critical escalations reach your team
- Use Internal messages for engineering coordination; External for researcher-facing communication
Next Steps
- The Researcher Portal — what researchers see, how they submit, and how they appeal
- Bounties and Payouts — approving bounties, tax documents, and the financial ledger