Free Security Module

Your first vulnerability disclosure program. Live in 5 minutes.

Researchers are already probing your infrastructure - they just have nowhere to report what they find. Kit gives you a structured VDP with security.txt auto-published, a branded intake portal, and evidence ready for auditors. Free to deploy.

EU-hosted 5-minute setup 80% spam filtered $49/mo full triage

A VDP is how your company handles vulnerability reports.

A Vulnerability Disclosure Program is a formal, documented channel for security researchers to report bugs in your software. Think of it as a structured version of security@ email - with SLA tracking, CVSS scoring, and an audit trail. SOC 2 auditors, cyber insurers, and enterprise customers increasingly require one.

Kit already handles your candidate pipeline. Your VDP runs on the same infrastructure, the same audit trail, the same team.

Regulatory Deadlines

The window is narrowing.

Active now

SOC 2 Type II

CC7.1: auditors are flagging the absence of documented vulnerability monitoring programs.

September 11, 2026

EU Cyber Resilience Act

Article 14 requires vulnerability reporting for products with digital elements.

Active since October 2024

NIS2 Directive

Art. 21(2)(e) mandates VDP as one of ten required cybersecurity measures for essential and important entities. Fines up to EUR 10M or 2% of revenue.

Growing

Cyber Insurance

Cyber insurance underwriters are adding VDP to policy application questionnaires.

The problem with security@ email.

Every startup inherits the same broken workflow. Here's why it doesn't survive a SOC 2 audit.

Your auditor just asked about CC7.1

SOC 2 CC7.1 requires documented evidence of vulnerability monitoring. A Jira ticket isn't evidence. A timestamped audit trail is.

Enterprise deals blocked

Enterprise prospects send security questionnaires. "Do you have a VDP?" is now a standard question. Without one, the deal stalls at procurement.

Managed platforms start at $22K/yr

HackerOne and Bugcrowd offer free submission forms. Their managed programs with real triage start at $22K+/yr. Kit gives you operational triage for $49/mo.

From report to resolution.

Follow a single vulnerability report through the researcher's own portal — every step of the lifecycle, exactly as they see it.

Why it works this way

Branded portal

Your logo, your domain, your disclosure policy. Researchers see a professional, branded experience.

Structured reports

Every report captures title, severity, proof-of-concept, and impact. No more parsing email threads.

Full lifecycle tracking

Reports flow from submission through triage to resolution. Full status history, SLA timers, and audit trail at every step.

5 minutes to compliance.

Three steps. No procurement, no integration projects, no waiting.

1

Enable VDP

Toggle on the VDP module in your Kit settings. Your security.txt is published instantly at /.well-known/security.txt and your disclosure policy page goes live.

2

First report arrives structured

Researchers submit through a branded intake form on your custom domain. You see a clean report with CVSS score, not a forwarded email chain.

3

Upgrade when triage matters

Add the full triage module for $49/mo when you're ready for kanban boards, SLA tracking, bounty payments, and SOC 2 export.

Free gets you compliant. The add-on gets you confident.

Free features get you compliant today. The add-on takes you from compliant to confident.

Free

security.txt + disclosure policy

RFC 9116-compliant security.txt auto-published at /.well-known/security.txt. Expiration alerts keep it current. Researchers know how to reach you.

Free

Structured intake form + CAPTCHA

No more freeform emails. Every report captures title, description, CVSS vector, proof-of-concept, and impact - structured from the start.

Free

Automated spam filtering

CAPTCHA, rate limiting, and AI screening catch more than 80% of junk before it reaches your queue. AI-generated slop gets scored and flagged - fabricated CVEs, hallucinated code paths. You see real reports, not noise.

Free

Invite-only mode

Run a private program with invite-only access. Share secure invite links with trusted researchers. Pending access requests appear in your sidebar.

Free

Custom domain portal

Run your security portal on your own domain. Researchers see your brand, not ours. Custom domains are free for all VDP accounts.

Free

EU-hosted infrastructure

Your vulnerability data never leaves the EU. Hosted on Hetzner in Germany. No US data transfers. No Schrems II concerns.

Add-on

Kanban triage + CVSS v3.1 + SLA

Move reports from New to Triaged to Resolved with full status history. SLA timers fire automatically. Never miss a response deadline again.

Add-on

Bounty pipeline + SOC 2 exports

Pay researchers via ACH/wire with 1099 tax handling. Every award, payout, and tax document is written to an append-only ledger - and exports as audit evidence in one click.

Add-on

Share a report, keep the chain of custody

Send a redacted report to an outside engineer via an email-bound link that expires in 7 days. Forwarded links don't work. Every open lands in an append-only access log - who, when, from where.

On-call rotations + per-severity SLAs

Add-on

Rotate who's on point daily or weekly, or sync your PagerDuty schedule. Every severity gets its own resolution clock - critical defaults to 72 hours - on top of the acknowledgment timer.

Ready to check the compliance box?

AI-Powered Triage

AI handles the noise. You handle the signal.

Kit's VDP ships with AI tools that cover the full vulnerability lifecycle. The same AI infrastructure that manages your hiring pipeline now triages your security reports.

Full lifecycle coverage.

33 MCP tools cover the lifecycle end to end - screening, duplicates, severity, bounties, shares, postmortems. AI drafts researcher responses so you reply in minutes, not days. Always with your confirmation.

Claude ChatGPT Gemini
Read the AI integration docs

Natural language, real actions.

Talk to your security data in plain English.

"Show me all High severity reports breaching SLA"
"Check report rpt_abc123 for duplicates and suggest severity"
"Draft a dismissal response - this looks out of scope"
"Approve a $500 bounty for the SQL injection report"
Your code never leaves your CI

AI triage that reads your codebase. Without Kit ever seeing it.

Kit hands each report to an agent running in your own CI, on your own model, with your own prompts. It checks the claim against your actual source - is this path really exploitable? - and sends back a verdict with severity, affected files, and reasoning. The code, the credentials, and the model stay on your side.

Runs in your CI, on your model Kit stores the verdict, never your source

$49/mo vs. $22,000/yr.

Free gets you audit-ready. The add-on gets you audit-confident.

DIY / Managed platforms

security@ inbox (unstructured) $0
HackerOne / Bugcrowd (managed) $22K+/yr
With setup time & overhead Weeks

Plus 2-5 weeks of onboarding, custom integrations, legal review, and a dedicated program manager requirement.

5-minute setup

Kit VDP

Free to start

Full triage add-on from $49/mo

$588/yr. That's 37x less than managed platforms.

  • security.txt auto-published
  • Structured intake form + CAPTCHA
  • Kanban triage + CVSS + SLA (add-on)
  • SOC 2 audit exports (add-on)
EU-hosted

HackerOne and Bugcrowd also offer free submission forms. The cost above reflects their managed programs with operational triage features comparable to Kit's add-on.

We use what we ship.

Kit runs its own VDP on this platform. Our security.txt is live. Our disclosure policy is published. We triage every report that comes in.

See our Trust Center

Questions, answered.

We're too small for a bug bounty program.

A VDP isn't a bug bounty - you're not offering rewards. It's a documented, compliant channel for researchers to report vulnerabilities. SOC 2 Type II, cyber insurers, and enterprise customers increasingly require proof that you have one. Kit's free tier gives you exactly that, with no commitment to pay anything.

Won't this invite hackers to attack us?

Researchers are already probing your infrastructure - they just have nowhere legitimate to send what they find. A VDP gives them a sanctioned path and provides you legal safe harbor. Without one, a well-meaning researcher might go public rather than risk legal exposure. With one, they come to you first.

Can I run a private, invite-only program?

Yes. Switch your portal to invite-only mode in Security Portal Settings and Kit generates a secret access token. Share the invite URL directly with trusted researchers - it grants them a persistent session on click. Anyone else who visits the portal sees a short access request form instead of a dead end. Pending requests appear in your sidebar with a badge; one click approves the request and sends the researcher their invite link automatically.

We'll get flooded with spam and low-quality reports.

Kit's intake form includes CAPTCHA, rate limiting, and an AI screening layer that catches junk before it reaches your queue. In practice, more than 80% of noise is filtered automatically. You'll see real reports - not inbox chaos.

What about AI-generated slop reports?

Every incoming report is screened with a confidence score and named signals - fabricated CVEs, hallucinated functions, template language. Flagged reports are marked for review before they cost your team a minute. Combined with CAPTCHA and rate limiting, more than 80% of noise never reaches your queue.

We could just build a web form ourselves.

A form gets you intake. It doesn't give you SLA tracking, CVSS scoring, status history, researcher communication threads, bounty payments, tax document handling, or one-click SOC 2 export. Kit bundles all of that - so you spend an afternoon deploying it, not an engineering sprint building it.

We already use Vanta/Drata for compliance.

Perfect. Vanta and Drata track that you have a VDP - Kit runs it. Enable Kit's VDP, point your compliance tool at your published security.txt, and the box is checked with a real program behind it. On the add-on, Kit also syncs confirmed reports into Vanta as vulnerability evidence for SOC 2 CC7.1 and ISO 27001 A.8.8 - resolve a report in Kit and Vanta records it remediated on the next sync.

Why does a hiring platform offer a VDP?

Kit started as a hiring platform, but compliance infrastructure shares the same engineering DNA - structured intake, SLA tracking, workflow automation, and audit exports. We built the VDP on the same foundation, applied to a different workflow. Kit runs its own VDP on this platform. Our security.txt is live. Our disclosure policy is published. We triage every report that comes in.

What happens when a real critical vulnerability comes in?

When a critical report arrives, Kit sends an immediate notification to your team. From there: you triage the report, assess severity with CVSS v3.1 scoring, communicate with the researcher through threaded messages, assign it to the right person, track resolution against your SLA timer, and export the full audit trail when your auditor asks for evidence. The entire lifecycle is documented, timestamped, and exportable.

Can I hand my auditor a single document for an incident?

Yes. Every report exports as an incident dossier PDF: executive summary, full timeline, CVSS breakdown, postmortem, evidence manifest, and sign-off page. One click, one file, ready for the audit binder.

What about HackerOne or Bugcrowd?

HackerOne and Bugcrowd both offer free submission forms. Kit's free tier does too. The difference is what happens after a report arrives: Kit gives you SLA tracking, CVSS scoring, kanban triage, researcher communication, bounty payments, and SOC 2 exports at $49/mo. HackerOne's managed programs with equivalent operational features start at $22K+/yr. When you outgrow Kit, we export your full program history - report summaries, CVSS scores, SLA performance, communication logs, and financial ledger - as CSV or PDF. No migration headaches.

See how SOC 2 exports work
Is my VDP data portable if I leave Kit?

Yes. Kit's full account export packages every VDP record - programs, reports, assessments, messages, bounty awards, disbursements, researcher profiles, and AI screenings - into structured JSON. One click from Account Settings. You have 7 days to download the archive. Your security history is yours.

See what's included in a data export

Deploy your VDP in 5 minutes. Free.

No credit card required. security.txt published instantly. Upgrade when you need triage.