## Why It Matters

A valid report often needs to reach someone who isn't on your security team — the engineer who owns the affected service, an on-call lead, an external contractor. Forwarding the raw report leaks the researcher's identity, your bounty figures, and your internal triage notes, and email threads can't be revoked. Peer sharing gives that person exactly what they need to confirm and fix the bug — and nothing else — behind a link that expires and that you can revoke at any time.

> Peer sharing is available on paid VDP plans.

## Sharing a Report

Open a [report](/csirt/reports) and use **Share with a peer** in the **Shared links** panel. Enter the recipient's email, choose whether to allow them to comment back, and send. Kit emails them a branded invitation on your program's behalf — the email itself contains no vulnerability details.

The link is **bound to that email address**. When the peer opens it they must confirm the address before the report is shown, so a forwarded link is useless to anyone else — the confirmation only ever reaches the original recipient.

## What the Peer Sees

The shared view is a redacted, read-only version of the report:

- **Shown** — vulnerability type, affected endpoint, severity, description, reproduction steps, and attachments (served as short-lived, off-origin downloads).
- **Hidden** — the researcher's identity and email, bounty amounts, your internal notes, the assessment author, and your team's timeline.

If you enabled comments, the peer can reply. Their replies land in the report as **internal, staff-only** notes (clearly marked as coming from an external peer) and are never shown to the researcher.

## Expiry and Revocation

- Links expire **7 days** after they're created.
- A link **stops working automatically** the moment the report is dismissed or closed.
- You can **revoke** a link at any time from the Shared links panel — the peer loses access immediately.

## When a Link Has Expired

A peer who opens an **expired** link no longer hits a dead end. After confirming the email the link was sent to, they can:

- **Request a fresh link** — Kit emails a new 7-day link to that same address (never anywhere else), even if the report has since moved on. A **revoked** link can't be self-renewed — revoking is your decision to end access, so the peer only sees a notice to contact you.
- **Request to join the team** — the same request-to-join flow described below.

## Seeing Who Opened a Report

External access is surfaced as a security signal, not a quiet "seen" receipt:

- The **Shared links** panel shows each recipient, their status, view count, last-viewed time, and the country they opened it from.
- The report header shows a **"Shared · N external viewers"** chip.
- The report timeline records an **External viewer opened this report** event.
- The person who shared the link and the report's assignee are notified the first time each new address opens it — a new address on the same link can signal forwarding.

## Requesting to Join the Team

A peer who needs ongoing access can request to **join your security team** from the shared report. The request lands with your account admins alongside any other access requests; approving it sends a normal team invitation, and once accepted they become a full member with their own account — no more one-off links.

When you open the request, Kit shows you **who's asking** (name, email, the country they requested from) and **which report** the share came from — so you can confirm you actually shared with this person before inviting them. **Approve** sends the team invitation; **Dismiss** silently drops the request (the requester is never notified).