## Why It Matters

Security researchers are already probing your systems. Unsolicited reports arrive via email, Slack, Twitter, and support tickets with no structure, no SLA tracking, and no audit trail. A Vulnerability Disclosure Program (VDP) organizes that influx instead of ignoring it.

Three converging mandates eliminate the "do nothing" option:

| Mandate | Requirement | Deadline |
|---------|-------------|----------|
| SOC 2 Type II (CC4/CC7) | Evidence of vulnerability monitoring and structured response process | Ongoing — auditors increasingly treat a formal VDP as standard evidence |
| EU Cyber Resilience Act (CRA) | Vulnerability reporting obligations for products with digital elements | September 11, 2026 |
| Cyber insurance carriers | Verifiable vulnerability management as a condition of coverage | Varies by carrier — tightening quarterly |

Kit's VDP module is **compliance infrastructure**, not a bug bounty platform. The budget comes from your compliance/GRC allocation ($5-10K/yr), not your AppSec budget. The buyer is a CTO preparing for a SOC 2 audit, not a CISO building a crowdsourced security program.

For comparison: HackerOne starts at $22K/yr with weeks of scoping calls. Kit deploys a fully compliant VDP in under 5 minutes — free to start, and the **VDP Add-on** at $49/mo unlocks the full triage and bounty pipeline.

## Who It's For

| Persona | Goal | Primary Pain |
|---------|------|--------------|
| Founder / CTO | Pass SOC 2 audit, unblock enterprise deals, comply with CRA | Enterprise platforms cost $22K+/yr; security@ inbox is chaos; manual PayPal payouts create tax liability |
| Security Team Member | Efficiently assess, route, and close vulnerability reports | Context-switching between email, Slack, and Jira; no standardized severity scoring; SLA breaches invisible |
| Security Researcher | Get acknowledged quickly, communicate clearly, receive fair payment | Ghosting by program managers; 30-90 day payout cycles; opaque triage process |

All three personas interact with the same program. Each section of these docs is labeled for the relevant audience.

## How It Works

1. **Enable** — Navigate to [VDP > Program Settings](/csirt/program/general_config/edit) and set your program status to **Active**. Your `security.txt` file is published automatically.
2. **Publish** — Set your program status to Active. Your submission form goes live and researchers discover you via `security.txt` and your disclosure policy page.
3. **Receive Reports** — The structured intake form filters spam with rate limiting and CAPTCHA. Valid reports land in your triage board.
4. **Resolve** — Triage the report, assess severity with CVSS v3.1, communicate with the researcher, fix the issue, and close the loop.

## Program Statuses

| Status | Accepting Reports | Visible to Researchers | When to Use |
|--------|:-----------------:|:----------------------:|-------------|
| Draft | No | No | Still configuring scope and policy |
| Active | Yes | Yes | Actively running your VDP |
| Paused | No | No | Temporarily suspending intake (e.g., during an incident) |

## What's Included

Free to start. Add the VDP Add-on ($49/mo) when you need structured triage, bounty payouts, or SOC 2 exports.

| Feature | Free | VDP Add-on ($49/mo) |
|---------|:----:|:-------------------:|
| security.txt (RFC 9116) | ✓ | ✓ |
| Disclosure policy page | ✓ | ✓ |
| Structured intake form + CAPTCHA | ✓ | ✓ |
| Reports/month | 25 | Unlimited |
| Branded email notifications | ✓ | ✓ |
| Kanban triage board | — | ✓ |
| CVSS v3.1 calculator | — | ✓ |
| SLA tracking & indicators | — | ✓ |
| Team assignment | — | ✓ |
| Deduplication | — | ✓ |
| On-call rotation | — | ✓ |
| Slack integration | — | ✓ |
| Custom email templates | — | ✓ |
| Researcher portal | — | ✓ |
| Metrics dashboard | — | ✓ |
| Hall of Fame | — | ✓ |
| Bounty approval | — | ✓ |
| Researcher payout info collection | — | ✓ |
| Tax document management (W-9/W-8BEN) | — | ✓ |
| Immutable financial ledger | — | ✓ |
| SOC 2 evidence export (CSV/PDF) | — | ✓ |
| API access | — | ✓ |

Annual pricing: $490/yr (save $98).

## Quick Checklist

- [ ] Activate your program in [VDP > Program Settings](/csirt/program/general_config/edit) (set status to Active)
- [ ] Review default scope and adjust in-scope/out-of-scope targets
- [ ] Publish your program (status → Active)
- [ ] Verify `security.txt` is served at `/.well-known/security.txt`
- [ ] Share your submission URL (`/security/{program-slug}/reports/new`) with your team so they know where reports go

## Next Steps

- [Configuring Your Program](/docs/configuring-your-program) — scope, bounty matrix, SLAs, and all seven settings tabs
- [security.txt Setup](/docs/security-txt-setup) — RFC 9116 compliance, custom domains, and expiration management
- Navigate to [VDP](/csirt) to enable your program and see pricing options