Quick Answer: A Vulnerability Disclosure Program (VDP) is a formal process that invites security researchers to report discovered vulnerabilities in your systems directly to your organisation, rather than publicly or to attackers. A VDP policy defines the scope, safe harbour protections for researchers, and your response commitments — creating a trusted channel for responsible disclosure.
What Is a Vulnerability Disclosure Program (VDP)? How to Set One Up in 2026
Security researchers around the world find vulnerabilities in organisations’ systems every day. Without a clear Vulnerability Disclosure Program (VDP), those researchers have no safe, legal way to report what they find — leading to public exposure, zero-day exploitation, or the finding being sold on dark web markets. A VDP gives you a structured, legal channel to receive, triage, and fix vulnerability reports before they become incidents.
What Is a Vulnerability Disclosure Program (VDP)?
A VDP is a formal policy and process that defines how external security researchers can responsibly report security vulnerabilities they discover in your organisation’s systems. It typically includes:
- A clear statement of what is in scope (and out of scope)
- Safe harbour provisions protecting good-faith researchers from legal action
- A secure submission channel (email, web form, or dedicated platform)
- Commitment to acknowledge, triage, and remediate reports within defined timelines
- A communication protocol for coordinated disclosure
VDP vs Bug Bounty Program — What Is the Difference?
| Feature | VDP | Bug Bounty |
|---|---|---|
| Financial reward | No (recognition only) | Yes (monetary reward) |
| Cost | Low (process + platform) | High (ongoing rewards) |
| Best starting point | Yes | After VDP maturity |
| Researcher motivation | Ethical disclosure, CVEs | Financial incentive |
| Volume of reports | Lower | Higher |
Most organisations start with a VDP, build internal triage maturity, then graduate to a bug bounty programme when ready to handle higher volume.
Why Your Organisation Needs a VDP in 2026
- US Federal requirement: CISA BOD 20-01 mandates VDPs for all US federal civilian agencies. US government contractors are expected to follow suit.
- Cyber insurance: US, Australian, and UK insurers increasingly ask about VDP existence in underwriting questionnaires — presence reduces premiums.
- ISO 27001: ISO 27001:2022 Annex A 8.8 (Management of Technical Vulnerabilities) and clause A.6.4 directly align with VDP practices.
- Legal protection: Without a VDP, researchers who find and report vulnerabilities risk prosecution under computer fraud laws. A VDP provides the safe harbour that encourages responsible disclosure.
- Early warning system: A VDP is a free, continuous source of vulnerability intelligence from external researchers — often finding issues your paid assessments missed.
How to Set Up a VDP — Step by Step
- Define scope — List in-scope assets (websites, APIs, applications) and out-of-scope items (production databases, third-party systems, employee devices)
- Write your VDP policy — Include safe harbour language, scope, prohibited actions, disclosure timeline, and recognition process
- Choose a submission channel — [email protected], a web form, or a dedicated VDP platform (HackerOne VDP, Bugcrowd VDP, Intigriti, or self-hosted)
- Build a triage process — Assign ownership for incoming reports: who receives, validates, scores (CVSS), assigns, and tracks to resolution
- Publish your policy — Post at /security.txt (RFC 9116) and link from your security page, footer, and responsible disclosure page
- Set SLAs — Define your commitment: acknowledge within 24–72 hours, triage within 1 week, resolve Critical within 30 days
- Test and iterate — Run internal test submissions, refine the process, then gradually expand scope
VDP for US, Australian, and Indian Organisations
US organisations: Following CISA guidance, the private sector is rapidly adopting VDPs. SEC cybersecurity disclosure rules also mean public companies need documented processes for handling security reports.
Australian organisations: The Australian Signals Directorate (ASD) and ACSC encourage VDP adoption as part of the Essential Eight. Regulated entities under APRA CPS 234 benefit from VDP as a continuous assurance mechanism.
Indian IT companies: CERT-In’s 6-hour mandatory reporting requirement makes VDP even more valuable — researchers disclosing through your VDP gives you advance notice to remediate before mandatory notification timelines begin.
Frequently Asked Questions — VDP
Does a VDP make us more vulnerable by inviting researchers in?
No. Attackers are already looking at your systems regardless of whether you have a VDP. The difference is that without a VDP, only malicious actors will tell you what they find — and they will exploit it rather than report it. A VDP enables good-faith researchers to report to you instead.
How much does a VDP cost to set up?
A basic VDP policy, security.txt file, and email submission channel costs essentially nothing beyond internal time. Dedicated VDP platforms range from free (for basic features) to USD 2,000–10,000 per year for managed platforms with triaging support.
Ready to launch your VDP? Contact eShield Consulting for VDP programme design and implementation support for your organisation.
