Metrics and Exports
How to read your VDP metrics dashboard, manage researcher karma, publish the Hall of Fame, and generate SOC 2 evidence exports.
Why It Matters
Metrics are the primary mechanism for proving VDP effectiveness to auditors. “We have a vulnerability disclosure program” is not sufficient evidence. “We acknowledged 100% of reports within 72 hours and resolved critical issues within 48 hours” is.
SOC 2 Type II evidence requires time-bounded data: reports received, SLA compliance rate, severity distribution, and resolution times. Kit’s metrics dashboard and export pipeline are designed to produce exactly what your auditor asks for — without a scramble at quarter-end.
Dashboard KPIs
Five headline metrics appear at the top of your VDP dashboard. These give you an at-a-glance health check every time you open the module.
| KPI | Description |
|---|---|
| Open Reports | Count of reports not yet resolved or dismissed |
| Awaiting Triage | Reports in Submitted status with no assessment |
| SLA Compliance % | Percentage of reports acknowledged within the configured SLA |
| Bounties Approved | Total approved bounty value this period (VDP Add-on only) |
| AI Flagged | Count of reports with an AI slop flag awaiting human review |
KPIs refresh on page load. There is no auto-refresh — reload the page or navigate back to see updated numbers.
Metrics Page
Navigate to VDP > Metrics for detailed analytics. Use the period selector at the top to scope the data to the last 7, 30, or 90 days. These three ranges are the only options — there is no custom date picker on the metrics page.
The metrics page is divided into eight sections:
| Section | What It Shows |
|---|---|
| MTTA (Mean Time to Acknowledge) | Average hours from submission to first response, across all reports in the period |
| MTTR (Mean Time to Resolve) | Average hours from submission to resolution, broken down by severity tier |
| SLA Compliance Trend | Line chart showing compliance percentage over time — look for downward trends before they become audit findings |
| Reports Over Time | Bar chart of submissions per week or month — useful for spotting seasonal patterns or disclosure spikes |
| By Severity | Breakdown of reports by severity tier (Super Critical through Informational) |
| By Status | Distribution of currently open reports across status columns (Submitted, Triaged, Validated, In Progress, etc.) |
| By Vulnerability Type | OWASP category distribution — shows which vulnerability classes your product is most exposed to |
| Top Researchers | Ranked by valid report count — identifies your most valuable external contributors |
All sections respect the selected date range. MTTA and MTTR are the two numbers your SOC 2 auditor will ask about first.
Researcher Karma
Kit tracks researcher quality over time using a karma system. Navigate to VDP > Researchers for the full researcher directory with karma tiers.
| Karma Tier | Meaning | Effect |
|---|---|---|
| Trusted | Consistently valid, high-quality reports | Reports fast-tracked in triage |
| Neutral | No strong signal either way | Standard triage flow |
| Low | History of low-quality reports | Reports pre-flagged for review |
| Untrusted | Pattern of spam or bad-faith submissions | Reports auto-flagged; optional auto-reject |
Karma adjusts automatically based on events tied to the researcher’s submissions. Most events fire when a report moves through its lifecycle or is dismissed with a specific reason.
Positive events (increase karma):
- Report triaged
- Report validated
- Report resolved
- Bounty awarded for a confirmed vulnerability (higher-severity awards earn a bonus)
- Report dismissed as a valid duplicate of a real, already-reported issue
Negative events (decrease karma):
- Report dismissed as spam
- Report confirmed as AI slop
Beyond these automatic events, a triager (or the AI assistant) can apply a manual karma adjustment — positive or negative — from a fixed set of reasons, for cases the automatic rules do not cover.
Karma tiers help your team prioritize triage. A report from a Trusted researcher can be fast-tracked with higher confidence. A report from an Untrusted researcher still enters the queue but is flagged so your team can apply appropriate scrutiny.
Hall of Fame Management
Navigate to VDP > Hall of Fame to manage the public researcher leaderboard. The Hall of Fame recognizes researchers who have contributed valid reports to your program.
Key rules:
- Researchers opt in from their portal — staff cannot force a researcher onto the leaderboard
- Staff can Feature a researcher, which pins them to the top of the public page
- Staff can Remove a researcher from the leaderboard, which overrides their opt-in
The public Hall of Fame is available at /security/{program-slug}/hall-of-fame. Share this URL in your disclosure policy to signal that you value researcher contributions. Most programs publish the Hall of Fame once they have five or more opted-in researchers.
Generating Exports
There is no separate Exports page. Instead, one-click Download CSV and Download PDF buttons live on the pages where the underlying data already appears:
- Metrics (VDP > Metrics) — the export is scoped to the period currently selected on the page (last 7, 30, or 90 days)
- Ledger (VDP > Ledger) — exports the full financial and report trail with no date scoping (all-time)
- Disbursements (VDP > Disbursements) — exports from the payouts view, also with no date scoping (all-time)
Exports require the VDP Add-on ($49/mo). Only the Metrics page’s export is date-scoped; there are no status, severity, or vulnerability-type filters anywhere — every export simply covers every report in scope (the selected period on Metrics, or all-time from Ledger/Disbursements).
Choose your format:
| Format | Best For |
|---|---|
| CSV | Machine-readable data for spreadsheets, further analysis, or import into GRC tools |
| Human-readable report formatted for auditors — includes headers, summaries, and tables |
Each export includes four sections:
| Section | Contents |
|---|---|
| Report Summaries | Report ID, title, status, severity, CVSS score, vulnerability type, submission date, resolution date |
| SLA Performance | Per-report SLA status, submission time, SLA deadline, and elapsed hours |
| Communication Log | External messages only (researcher-facing communications, not internal notes) |
| Financial Ledger | Bounty approvals, disbursement records, and payout amounts for the period |
Exports are asynchronous. Clicking a download button opens the export’s status page, which updates live (via Turbo Stream) as Kit builds the file in the background — no email is sent. When processing finishes, a download link appears on that page. Large exports covering several quarters of data may take a few minutes, and the generated file is available for 7 days before it expires.
SOC 2 Evidence Workflow
The recommended workflow for SOC 2 Type II audits:
- At the end of each quarter, open VDP > Metrics, select the 90 days period (the closest approximation of a quarter), and use the export buttons — or open VDP > Ledger for the complete, all-time financial trail alongside the quarter’s report data
- Click Download PDF for the primary evidence file, then Download CSV as a supplement
- Wait for each export’s status page to finish processing, then use the download link that appears
- Attach both files to your CC4 (Monitoring Activities) and CC7 (System Operations) evidence folders
Your auditor will look for three things in this export: that reports are being received and tracked, that SLA targets are being met consistently, and that the financial ledger shows a clean trail from bounty approval through disbursement. The export is designed to answer all three questions without additional preparation.
See Bounties and Payouts for details on the financial ledger that feeds into exports.
Quick Checklist
- Review Dashboard KPIs at the start of each week to catch SLA compliance drops early
- Check the Metrics page at the start of each quarter to confirm MTTA and MTTR trends
- Review researcher karma tiers to identify Trusted researchers for expedited triage
- Publish the Hall of Fame once you have 5+ opted-in researchers
- Generate a quarterly export for your SOC 2 CC4/CC7 evidence folder (VDP Add-on)
- Set a recurring calendar reminder to pull metrics before each SOC 2 audit window
- Cross-reference the Triaging Reports workflow if SLA compliance is trending down
Next Steps
- Triaging Reports — the full triage workflow, SLA indicators, and bulk operations
- AI Integration — ask the AI assistant for metrics summaries and SLA analysis