Vulnerability Disclosure Program — VDP · bug-bounty program
Stand up a Vulnerability Disclosure Program (VDP) or bug-bounty — policy definition, triage process, researcher communications and reward management.
Coverage that goes deep.
Stand up a Vulnerability Disclosure Program (VDP) or bug-bounty — policy definition, triage process, researcher communications and reward management.
- VDP policy & scope definition
- Researcher portal setup
- Triage process & SLA
- Severity scoring (CVSS v3.1)
- Reward / bounty management
- Public disclosure coordination
- Hall of fame / acknowledgement system
- Timeline
- 3–6 weeks setup
- Methodology
- ISO 29147
ISO 30111
CERT/CC Guidelines - Category
- Advisory
- Re-test
- Included after fixes
Every engagement is led by a CRTO/OSCP-certified senior engineer with named accountability.
What you get back.
A structured deliverable pack you can hand to engineers, auditors and the board.
VDP policy document
Triage runbook
Public disclosure portal
Hall-of-fame management
How we work.
Scope
Confidential scoping call. We agree assets, environments, exclusions and timing.
Test
Active testing per agreed methodology, with daily check-ins on critical findings.
Report
Executive + technical deliverables. CXO presentation if you want it.
Retest
Re-test included after your team applies fixes. Certificate issued on pass.
Common questions.
VDP vs bug bounty?
Tell us about your environment.
A 30-minute scoping call — confidential, NDA-protected, complimentary. Our senior security team will respond within 4 business hours.
- Named senior engineer on every project
- In-house tools in production · ISO 27001 aligned practices
- 4-hour breach SLA · 5–10 day delivery