Back to glossary

Vulnerability Disclosure Program (VDP)

A formal process established by an organization to allow security researchers to safely and legally report security vulnerabilities they find in the organization's products or services.

AbbreviationVDP
Categorysecurity

Overview

A VDP provides a 'front door' for the security community to help an organization improve its security. It defines the scope of what can be tested, how to report findings, and the organization's commitment to fixing the issues.

Key Elements

  • Scope: Which systems and applications are included in the program.
  • Safe Harbor: A promise not to take legal action against researchers who follow the program's rules.
  • Reporting Channel: A secure way to submit vulnerability reports.
  • Communication: A commitment to acknowledge reports and provide updates on remediation.

VDP vs. Bug Bounty

While a VDP provides a framework for reporting, it does not necessarily offer financial rewards. A Bug Bounty program is a type of VDP that pays researchers for valid reports.

Related Terms

Responsible DisclosureBug Bounty