Vulnerability Disclosure Program (VDP) Services

Launch a Responsible Disclosure Programme in Weeks

Give security researchers a safe, structured channel to report vulnerabilities in your systems — before criminals find them first. eShield designs, deploys, and manages Vulnerability Disclosure Programs for organisations across UAE, India, and the GCC.

Get a Free VDP Consultation

What Is a Vulnerability Disclosure Program?

A Vulnerability Disclosure Program (VDP) is a formal policy and process that allows external security researchers, ethical hackers, and customers to report security vulnerabilities to your organisation safely and responsibly — without fear of legal action.

Unlike a bug bounty programme, a VDP does not require cash rewards. It establishes a clear disclosure policy, intake process, and response commitment — making it the natural first step before launching a paid bug bounty.

Regulatory note: CERT-In's 2022 Directions (India) require organisations to report cybersecurity incidents within 6 hours. A structured VDP ensures inbound disclosures are routed, triaged, and escalated within that window. In UAE, the TDRA Cybersecurity Framework and NESA IA standards both recommend formalised disclosure processes.

What We Build For You

📄 Disclosure Policy Drafting

Legal-reviewed VDP policy covering scope definition, safe harbour provisions, response SLAs, and out-of-scope exclusions. Compliant with coordinated disclosure best practices (ISO 29147).

🌐 security.txt Implementation

Configure the RFC 9116-compliant security.txt file at /.well-known/security.txt to make your disclosure contact discoverable by researchers. Simple but missing from 95% of UAE company websites.

😁 Intake & Triage Portal

Dedicated submission portal with structured reporting forms, encrypted email option, and researcher communication workflow. Integrated with your ticketing system (Jira, ServiceNow, Linear).

🔍 Vulnerability Triage & Validation

eShield security engineers triage and validate incoming reports within your defined SLA. We separate noise from real vulnerabilities and provide CVSS scoring with remediation priority.

📊 Programme Metrics & Reporting

Monthly reports on disclosure volume, CVSS severity distribution, resolution time, and researcher engagement. Board-ready summary for your CISO or vCISO.

🚀 Bug Bounty Readiness

After 6–12 months of VDP operation, we can help you transition to a paid bug bounty programme on HackerOne, Bugcrowd, or Intigriti — with all the processes already in place.

VDP Service Tiers

From policy-only to fully managed disclosure programmes

Launch

AED 4,500

One-time setup fee

Everything you need to publish a credible VDP

✓ Disclosure policy document
✓ security.txt implementation
✓ Scope definition workshop
✓ Email intake setup
✓ Researcher response templates

Get Started

⭐ Managed — Most Popular

AED 2,500/mo

+ AED 4,500 setup

Full triage, validation, and reporting managed by eShield

✓ Everything in Launch
✓ Dedicated intake portal
✓ eShield triage (48hr SLA)
✓ CVSS scoring + prioritisation
✓ Monthly programme report
✓ Researcher communication managed

Get Started

Enterprise + Bug Bounty

Custom

Includes bounty fund management

Full programme with optional paid rewards for critical findings

✓ Everything in Managed
✓ Bug bounty programme design
✓ HackerOne / Bugcrowd integration
✓ Bounty policy and payout rules
✓ Researcher community engagement
✓ Quarterly board presentation

Request a Quote

Frequently Asked Questions

What is the difference between a VDP and a bug bounty?

A VDP is a promise to researchers that you will respond to their reports without legal retaliation — no monetary rewards are required. A bug bounty adds financial incentives for valid findings. Most organisations start with a VDP and graduate to a bug bounty after 6–12 months.

How long does it take to launch a VDP?

With eShield's Launch package, you can be live in 2–3 weeks. The Managed programme takes 3–4 weeks to configure the intake portal, triage workflow, and reporting dashboards.

Is a VDP required for CERT-In compliance?

CERT-In's 2022 Directions require a 6-hour incident reporting window. A formalised VDP with triage SLAs helps ensure externally reported vulnerabilities are escalated and documented within that window, reducing compliance risk.

What do researchers actually submit?

Typical disclosures include authentication bypasses, broken access control, XSS/injection vulnerabilities, exposed sensitive data, subdomain takeovers, and misconfigured cloud storage. eShield's triage team validates each submission and filters out non-issues before escalating to your team.

Ready to Launch Your Vulnerability Disclosure Program?

Contact eShield to discuss your scope, timeline, and the right tier for your organisation. Most programmes go live within 3 weeks.