Logo StartupKit
EN
English Deutsch Français Español Polski

Sharing Reports With Peers

Share a single vulnerability report with an engineer outside your team via a secure, email-gated, expiring link — without exposing the researcher, bounty, or internal notes.

Why It Matters

A valid report often needs to reach someone who isn’t on your security team — the engineer who owns the affected service, an on-call lead, an external contractor. Forwarding the raw report leaks the researcher’s identity, your bounty figures, and your internal triage notes, and email threads can’t be revoked. Peer sharing gives that person exactly what they need to confirm and fix the bug — and nothing else — behind a link that expires and that you can revoke at any time.

Peer sharing is available on paid VDP plans.

Sharing a Report

Open a report and use Share with a peer in the Shared links panel. Enter the recipient’s email, choose whether to allow them to comment back, and send. Kit emails them a branded invitation on your program’s behalf — the email itself contains no vulnerability details.

The link is bound to that email address. When the peer opens it they must confirm the address before the report is shown, so a forwarded link is useless to anyone else — the confirmation only ever reaches the original recipient.

What the Peer Sees

The shared view is a redacted, read-only version of the report:

  • Shown — vulnerability type, affected endpoint, severity, description, reproduction steps, and attachments (served as short-lived, off-origin downloads).
  • Hidden — the researcher’s identity and email, bounty amounts, your internal notes, the assessment author, and your team’s timeline.

If you enabled comments, the peer can reply. Their replies land in the report as internal, staff-only notes (clearly marked as coming from an external peer) and are never shown to the researcher.

Expiry and Revocation

  • Links expire 7 days after they’re created.
  • A link stops working automatically the moment the report is dismissed or closed.
  • You can revoke a link at any time from the Shared links panel — the peer loses access immediately.

When a Link Has Expired

A peer who opens an expired link no longer hits a dead end. After confirming the email the link was sent to, they can:

  • Request a fresh link — Kit emails a new 7-day link to that same address (never anywhere else), even if the report has since moved on. A revoked link can’t be self-renewed — revoking is your decision to end access, so the peer only sees a notice to contact you.
  • Request to join the team — the same request-to-join flow described below.

Seeing Who Opened a Report

External access is surfaced as a security signal, not a quiet “seen” receipt:

  • The Shared links panel shows each recipient, their status, view count, last-viewed time, and the country they opened it from.
  • The report header shows a “Shared · N external viewers” chip.
  • The report timeline records an External viewer opened this report event.
  • The person who shared the link and the report’s assignee are notified the first time each new address opens it — a new address on the same link can signal forwarding.

Requesting to Join the Team

A peer who needs ongoing access can request to join your security team from the shared report. The request lands with your account admins alongside any other access requests; approving it sends a normal team invitation, and once accepted they become a full member with their own account — no more one-off links.

When you open the request, Kit shows you who’s asking (name, email, the country they requested from) and which report the share came from — so you can confirm you actually shared with this person before inviting them. Approve sends the team invitation; Dismiss silently drops the request (the requester is never notified).

Type to search...