VDP customization and setup

Set up your Vulnerability Disclosure Policy (VDP) in a simple and guided way

While Bug Bounty is and will remain our platform’s raison d’être, we offer a set of features allowing Organizations to easily set-up and manage a Vulnerability Disclosure Policy (VDP).

Here you can find out how to create and customize it with the YesWeHack platform.

Please remind me, what is a VDP?

A Vulnerability Disclosure Policy (VDP) is a secure and structured channel that allows anyone to report security issues and vulnerabilities to exposed organisations. 

VDP is a complementary approach to bug bounty. Indeed, while bug bounty is an active approach, a VDP is a more passive approach. In a nutshell, you set up a communication channel on a dedicated webpage. Then, anyone acting in good faith who wishes to report a bug can do it through the dedicated webpage. However, there is no incentive nor reward.

Want to know more about how we deal with VDP ? Here you go

Do you wish to see a real example? Here you go also (YesWeHack VDP) : https://vdp.yeswehack.com/

How to set-up a VDP on YesWeHack platform?

You can create your VDP directly from yeswehack.com :

As a BU owner, a BU manager or a Program manager, you can then access the policy editor: 

From the policy editor, you might then:

  • Edit, create and organize pages
  • Define the default style of pages
  • Access a page's edition mode
  • Manage translation and languages
  • Consult versions, restore versions and revert changes
  • Edit VDP main settings (page title, favicon)
  • Configure the domain(s) for VDP publication
  • Publish the lastest saved version of your VDP

When your VDP (content and layout) is ready to be published: 

1/ Setup your VDP domain

You can use your own domain to publish the VDP, e.g. vdp.mycompany.com. (This is the preferred option for most organisations).

2/ Domain validation and publish

Once the DNS creation and correct setup are completed on your end (see previous step), you can proceed with the VDP publication:

N.B.: If you have multiple domains configured, itwill deploy your VDP on all the domains listed as ‘ready’.

Then, what? 

Once your VDP is published, researchers will be able to submit reports through your VDP page.

You will retrieve the reports directly from the YesWeHack interface, with the same templates, features, workflows and dashboards than your Bug Bounty reports.