Your first vulnerability disclosure program. Live in 5 minutes.
Researchers are already probing your infrastructure - they just have nowhere to report what they find. Kit gives you a structured VDP with security.txt auto-published, a branded intake portal, and evidence ready for auditors. Free to deploy.
A VDP is how your company handles vulnerability reports.
A Vulnerability Disclosure Program is a formal, documented channel for security researchers to report bugs in your software. Think of it as a structured version of security@ email - with SLA tracking, CVSS scoring, and an audit trail. SOC 2 auditors, cyber insurers, and enterprise customers increasingly require one.
Kit already handles your candidate pipeline. Your VDP runs on the same infrastructure, the same audit trail, the same team.
The window is narrowing.
SOC 2 Type II
CC7.1: auditors are flagging the absence of documented vulnerability monitoring programs.
EU Cyber Resilience Act
Article 14 requires vulnerability reporting for products with digital elements.
NIS2 Directive
Art. 21(2)(e) mandates VDP as one of ten required cybersecurity measures for essential and important entities. Fines up to EUR 10M or 2% of revenue.
Cyber Insurance
Cyber insurance underwriters are adding VDP to policy application questionnaires.
The problem with security@ email.
Every startup inherits the same broken workflow. Here's why it doesn't survive a SOC 2 audit.
Your auditor just asked about CC7.1
SOC 2 CC7.1 requires documented evidence of vulnerability monitoring. A Jira ticket isn't evidence. A timestamped audit trail is.
Enterprise deals blocked
Enterprise prospects send security questionnaires. "Do you have a VDP?" is now a standard question. Without one, the deal stalls at procurement.
Managed platforms start at $22K/yr
HackerOne and Bugcrowd offer free submission forms. Their managed programs with real triage start at $22K+/yr. Kit gives you operational triage for $49/mo.
From report to resolution.
-
Branded portal
Your logo, your domain, your disclosure policy. Researchers see a professional, branded experience.
-
Structured reports
Every report captures title, severity, proof-of-concept, and impact. No more parsing email threads.
-
Full lifecycle tracking
Reports flow from submission through triage to resolution. Full status history, SLA timers, and audit trail at every step.
SQL Injection in /api/v2/users
The /api/v2/users endpoint accepts unsanitised input in the search parameter, allowing...
Authenticated users can extract other users' PII
SQL Injection
XSS in Search
CSRF Token
5 minutes to compliance.
Three steps. No procurement, no integration projects, no waiting.
Enable VDP
Toggle on the VDP module in your Kit settings. Your security.txt is published instantly at /.well-known/security.txt and your disclosure policy page goes live.
First report arrives structured
Researchers submit through a branded intake form on your custom domain. You see a clean report with CVSS score, not a forwarded email chain.
Upgrade when triage matters
Add the full triage module for $49/mo when you're ready for kanban boards, SLA tracking, bounty payments, and SOC 2 export.
Free gets you compliant. The add-on gets you confident.
Free features get you compliant today. The add-on takes you from compliant to confident.
security.txt + disclosure policy
RFC 9116-compliant security.txt auto-published at /.well-known/security.txt. Expiration alerts keep it current. Researchers know how to reach you.
Structured intake form + CAPTCHA
No more freeform emails. Every report captures title, description, CVSS vector, proof-of-concept, and impact - structured from the start.
Automated spam filtering
CAPTCHA, rate limiting, and AI screening catch more than 80% of junk before it reaches your queue. You see real reports, not noise.
Invite-only mode
Run a private program with invite-only access. Share secure invite links with trusted researchers. Pending access requests appear in your sidebar.
Custom domain portal
Run your security portal on your own domain. Researchers see your brand, not ours. Custom domains are free for all VDP accounts.
EU-hosted infrastructure
Your vulnerability data never leaves the EU. Hosted on Hetzner in Germany. No US data transfers. No Schrems II concerns.
Kanban triage + CVSS v3.1 + SLA
Move reports from New to Triaged to Resolved with full status history. SLA timers fire automatically. Never miss a response deadline again.
Bounty pipeline + SOC 2 exports
Pay researchers via ACH/wire with 1099 tax handling. Export audit evidence in one click. AI screens duplicates and drafts responses.
Ready to check the compliance box?
$49/mo vs. $22,000/yr.
Free gets you audit-ready. The add-on gets you audit-confident.
DIY / Managed platforms
Plus 2-5 weeks of onboarding, custom integrations, legal review, and a dedicated program manager requirement.
Kit VDP
Full triage add-on from $49/mo
$588/yr. That's 37x less than managed platforms.
- security.txt auto-published
- Structured intake form + CAPTCHA
- Kanban triage + CVSS + SLA (add-on)
- SOC 2 audit exports (add-on)
HackerOne and Bugcrowd also offer free submission forms. The cost above reflects their managed programs with operational triage features comparable to Kit's add-on.
AI handles the noise. You handle the signal.
Kit's VDP ships with AI tools that cover the full vulnerability lifecycle. The same AI infrastructure that manages your hiring pipeline now triages your security reports.
Full lifecycle coverage.
AI screens junk reports so you only see real vulnerabilities. It detects duplicates before you waste time, suggests CVSS severity, and drafts researcher responses so you reply in minutes, not days. Always with your confirmation.
Natural language, real actions.
Talk to your security data in plain English.
We use what we ship.
Kit runs its own VDP on this platform. Our security.txt is live. Our disclosure policy is published. We triage every report that comes in.
See our Trust CenterQuestions, answered.
We're too small for a bug bounty program.
A VDP isn't a bug bounty - you're not offering rewards. It's a documented, compliant channel for researchers to report vulnerabilities. SOC 2 Type II, cyber insurers, and enterprise customers increasingly require proof that you have one. Kit's free tier gives you exactly that, with no commitment to pay anything.
Won't this invite hackers to attack us?
Researchers are already probing your infrastructure - they just have nowhere legitimate to send what they find. A VDP gives them a sanctioned path and provides you legal safe harbor. Without one, a well-meaning researcher might go public rather than risk legal exposure. With one, they come to you first.
Can I run a private, invite-only program?
Yes. Switch your portal to invite-only mode in Security Portal Settings and Kit generates a secret access token. Share the invite URL directly with trusted researchers - it grants them a persistent session on click. Anyone else who visits the portal sees a short access request form instead of a dead end. Pending requests appear in your sidebar with a badge; one click approves the request and sends the researcher their invite link automatically.
We'll get flooded with spam and low-quality reports.
Kit's intake form includes CAPTCHA, rate limiting, and an AI screening layer that catches junk before it reaches your queue. In practice, more than 80% of noise is filtered automatically. You'll see real reports - not inbox chaos.
We could just build a web form ourselves.
A form gets you intake. It doesn't give you SLA tracking, CVSS scoring, status history, researcher communication threads, bounty payments, tax document handling, or one-click SOC 2 export. Kit bundles all of that - so you spend an afternoon deploying it, not an engineering sprint building it.
We already use Vanta/Drata for compliance.
Perfect. Vanta and Drata track that you have a VDP. Kit runs it. Enable Kit's VDP, point your compliance tool to your published security.txt, and the checkbox is checked with a real, auditable program behind it - not just a policy document.
Why does a hiring platform offer a VDP?
Kit started as a hiring platform, but compliance infrastructure shares the same engineering DNA - structured intake, SLA tracking, workflow automation, and audit exports. We built the VDP on the same foundation, applied to a different workflow. Kit runs its own VDP on this platform. Our security.txt is live. Our disclosure policy is published. We triage every report that comes in.
What happens when a real critical vulnerability comes in?
When a critical report arrives, Kit sends an immediate notification to your team. From there: you triage the report, assess severity with CVSS v3.1 scoring, communicate with the researcher through threaded messages, assign it to the right person, track resolution against your SLA timer, and export the full audit trail when your auditor asks for evidence. The entire lifecycle is documented, timestamped, and exportable.
What about HackerOne or Bugcrowd?
HackerOne and Bugcrowd both offer free submission forms. Kit's free tier does too. The difference is what happens after a report arrives: Kit gives you SLA tracking, CVSS scoring, kanban triage, researcher communication, bounty payments, and SOC 2 exports at $49/mo. HackerOne's managed programs with equivalent operational features start at $22K+/yr. When you outgrow Kit, we export your full program history - report summaries, CVSS scores, SLA performance, communication logs, and financial ledger - as CSV or PDF. No migration headaches.
See how SOC 2 exports workIs my VDP data portable if I leave Kit?
Yes. Kit's full account export packages every VDP record - programs, reports, assessments, messages, bounty awards, disbursements, researcher profiles, and AI screenings - into structured JSON. One click from Account Settings. You have 7 days to download the archive. Your security history is yours.
See what's included in a data exportDeploy your VDP in 5 minutes. Free.
No credit card required. security.txt published instantly. Upgrade when you need triage.