Quick Answer: VDP programme setup services cover policy design, safe harbour legal review, platform selection (HackerOne, Bugcrowd, Intigriti), triage process design, and launch support. A well-structured VDP can be live within 4–6 weeks and directly satisfies ISO 27001:2022 control 8.8 (Management of technical vulnerabilities).
What Is a Vulnerability Disclosure Program?
A Vulnerability Disclosure Program (VDP) is a formal, public-facing process that invites security researchers and ethical hackers to report vulnerabilities they discover in your systems — safely, legally, and with a clear response commitment from your organisation. A well-run VDP reduces your attack surface by harnessing the security research community’s collective expertise.
VDPs are increasingly mandated: the US CISA Binding Operational Directive 20-01 requires federal agencies to operate a VDP; the UK NCSC and Australia’s ASD recommend VDPs as part of responsible security operations; and ISO 27001:2022 control 8.8 explicitly calls for processes to obtain technical vulnerability information from external sources.
VDP vs Bug Bounty — What’s the Difference?
- VDP: Researchers are rewarded with acknowledgement (Hall of Fame) rather than financial payment. Lower cost, but still attracts high-quality reports from reputation-motivated researchers.
- Bug Bounty: Researchers receive financial rewards per valid finding. Higher cost, higher volume, and higher noise — better suited for mature security teams with triage capacity.
Most organisations should start with a VDP and graduate to a bug bounty programme once their triage and remediation processes are mature.
What eShield Delivers in a VDP Setup Engagement
VDP Policy Design
We draft a clear, legally reviewed VDP policy covering: scope (in-scope and out-of-scope assets), safe harbour provisions, disclosure timeline expectations, and researcher conduct expectations. A clear policy is essential — ambiguous policies deter legitimate researchers.
Platform Selection and Setup
We evaluate and configure VDP platforms including HackerOne, Bugcrowd (VDP tier), Intigriti, and self-hosted options. Platform selection depends on your industry, budget, and desired researcher community reach.
Triage Process Design
We design your internal triage workflow: intake, initial response SLA, severity classification, routing to remediation teams, and researcher communication templates. Slow or poor communication is the primary reason researchers lose trust in a VDP.
Legal Safe Harbour Review
We work with your legal team (or recommend legal partners) to ensure your VDP policy provides adequate safe harbour protection for researchers acting in good faith — a critical element that many organisations get wrong.
Launch and Researcher Outreach
We assist with the programme launch including public announcement, listing on disclosure aggregators, and initial researcher outreach to generate quality early submissions.
Learn more about our VDP Programme service or explore how it integrates with our External Attack Surface Management capabilities.
Frequently Asked Questions
How long does it take to launch a VDP?
With eShield’s structured programme, most organisations can have a live VDP within 4–6 weeks from kick-off — including policy drafting, legal review, platform setup, and triage process documentation.
Will we get flooded with low-quality reports?
A well-scoped VDP with a clear policy significantly reduces noise. We help you define scope boundaries and exclusion criteria that filter out automated scanner dumps and out-of-scope reports. Most clients receive 5–20 quality reports per month initially.
Is a VDP required for ISO 27001 certification?
ISO 27001:2022 control 8.8 (Management of technical vulnerabilities) requires processes to obtain vulnerability information from external sources. A VDP directly satisfies this control and provides auditable evidence of your vulnerability intake process.
Get in touch to discuss launching your VDP programme.
