Skip to main content

How to create & publish a standard VDP

Follow the key steps required to publish your VDP

Updated this week

What is a VDP

A Vulnerability Disclosure Policy (VDP) provides a secure, anonymous, and straightforward way for anyone to report potential security vulnerabilities to your organisation.

Unlike active security testing, a VDP is a passive approach — it creates an open channel for external parties, such as security researchers or even customers who stumble upon sensitive data, to report issues responsibly and legally.

By encouraging early and legal disclosure, a VDP helps organisations identify and fix vulnerabilities before malicious actors ("black hats") can exploit them.

ℹ️Learn more about key benefits and YesWeHack VDP solutions here.

💡 Check out our own VDP page.

How to set up a VDP

  • Go to the“Admin Panel”

  • Select “Programs” on the left-side menu

  • Click on the“+Program” blue button on the top right corner

  • Select “VDP”

  • Click on “Create program”

  • Choose the “title” of your VDP

  • You can choose to add the “Service level agreement for remediation”, which sets time frames' goals. It is disabled by default.

  • Click on “Save”

The VDP is not yet published. You must complete the policy configuration.

  • Click on “Policy”(Blue and red policy buttons go to the same page) to begin the configuration

A warning message will indicate that the VDP configuration happens on a dedicated editor.

  • Click on “Go to policy”

Policy Editor

A default template, used by most organisations, is made available to all of our users. It can be reviewed and updated.

Settings overview

From the policy editor, you may then:

  • Edit, create and organize pages

  • Define a default style

  • Access a page's edition mode

  • Manage translation and languages

  • Consult versions, restore versions and revert changes

  • Edit VDP main settings (page title, favicon)

  • Configure the domain(s) for VDP publication

  • Publish the lastest saved version of your VDP

  • Add metatags to improve its visibility

Edit, create and organize pages

Default pages are “Policy” and “Send a Report", but you can also create a new page from scratch and personalize them.

3 types of blocks can be added on a blank new page: Text, Image, and Report form.

Page settings (e;g., dimensions, margin, background…) are available on the left-side menu.

ℹ️ Settings only apply to this page. However, it is possible to define a default style across pages.

Define a default style

  • Select “Settings” in the header drop down menu to modify the style for all pages

Access a page's edition mode

Default pages like “Policy” or “ Send a report” can be updated:

  • Select a page

  • Click on a block to display new options

Text can be updated with usual style settings : bold, italic etc.

Manage translation and languages

Default Language is English but you can add new languages:

  • Click on “Settings” in the “language” drop down menu

  • Click on “Add language”

  • Select a “language” and the “associated flag” (adding a label isn’t mandatory, if empty the language name will be used)

  • Select the “default” language you need for your VDP

Once a new language is added, translations have to be done on every page:

  • Select a page

  • Click on your content

  • Select “Translation tab” on the left-side menu

  • Translate directly the content policy

  • Or, click the pencil icon on the “Fields Translations” line from the form page. A window will open where you can enter the appropriate translation for each field (e.g., French translations for titles and fields).

  • Translate manually each field or export and complete a .json file. Then, import it to fill all fields.

  • To change a page title, click on “Settings” in the left-side menu

  • Modify the “Title” field

  • Your VDP is now translated

Consult versions, restore versions, and revert changes

Once a new version is published, it is saved on the platform. Want to use previous content? Restore an earlier version to work on it and publish it as a new one.

  • Click on “Versions” to retrieve all VDP versions (new and previous one)

  • Click on “Restore” if needed and use this previous version for a new one

Edit VDP main settings (page title, favicon)

Through the Settings menu, you can edit the title of your VDP and upload a favicon (supported formats: BMP, GIF, PNG, JPG, SVG; maximum file size: 5.0 MB).

You can also choose to be referenced on https://firebounty.com/.

  • Go to “Settings” in the header

  • Edit the VDP Title, the Favicon or update your preferences to be referenced on Firebounty

Your VDP (content and layout) is now ready to be published.

How to publish the VDP

Configure the domain(s) for VDP publication

Setup your VDP domain:

  • Go to “Domains” in the header

  • Click on “Set up a new domain”

  • Fill in "Domain" field

💡 Tips

You have 2 options to setup a domain. You might either use the YWH domain for vdp: [yourchoice].vulnerability-disclosure.com OR use your own domain.

Check the box to use your own domain to publish the VDP (e.g., VDP.mycompany.com) is the preferred option for most organisations.

For your VDP to work properly on your own domain, you must register a CNAME DNS record pointing to zero.disclo.com.

💡Tips: Domain validation

DNS validation, certificate creation, and deployment are automatically completed and required before publishing a VDP.

Note that we provide a Let’s Encrypt certificate but it is possible to use a different one. Reach out to your CSM for more information.

Publish the latest saved version of your VDP

ℹ️ You must publish the VDP every time you update it.

Once the DNS creation and correct setup are completed on your end (see previous step), you can proceed with the VDP publication.

  • Go to “Publish” in the header

  • Click on “Publish” in the window

ℹ️ If you have multiple domains configured, it will deploy your VDP on all the domains listed as ‘ready', but note that the content will be the same on each.

Add metatags to improve the visibility of your VDP

Improve referencing & visibility of your VDP

  • Include a link to your VDP in the contact page (or dedicated security page, if you have one)

This will drastically improve how the VDP page is referenced on search engines.

SEO configuration

  • Click on “SEO Configuration” in the left-side menu

ℹ️ Clicking directly on your content will display the style settings. To access the appropriate menu on the left, do not select the policy or form text.

  • Fill in "Tag Name" and "Content" fields

ℹ️ For example, you might edit the description as: ‘Found a vulnerability for <company name>? Send a report through our Vulnerability Disclosure Policy.

  • Click on “Add a meta tag” if needed

  • Choose a “Tag Name”

  • Click on “Add”

  • Close the window

  • Meta tags are integrated, it’s now easier to find your VDP on search engines

Security.txt

ℹ️ For example: https://www.yeswehack.com/.well-known/security.txt.

Next steps

Once your VDP is published, researchers will be able to submit reports through your VDP page.

To share your VDP, copy/paste its link from the platform:

  • Go to the “Admin Panel”

  • Click on your VDP program

  • Find your VDP URL

You will retrieve the reports directly from the YesWeHack interface, with the same templates, features, workflows and dashboards than your Bug Bounty reports.

ℹ️ Remember that VDP reports are anonymous and will not be rewarded.

Related Articles
Embedded VDP
Featured VDP
Vulnerability Disclosure Policy on YesWeHack
VDP reports
Vulnerability center
Did this answer your question?