Key Takeaways
- A Vulnerability Disclosure Policy (VDP) tells external researchers how to safely report vulnerabilities to your business. Without one, you discourage reports or invite uncoordinated public disclosure.
- VDP is not a bug bounty. VDP is a free, baseline channel. Bug bounty is an optional paid layer on top.
- Safe harbour language is the most important section. It tells the researcher you will not pursue legal action for good-faith testing within the policy.
- ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling) are the international standards. CERT-In has India-specific responsible disclosure guidance.
- DPDP, RBI, SEBI: regulated Indian businesses increasingly need a documented VDP for compliance and customer questionnaire responses.
What Is a Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy is a published document that tells external security researchers, customers, and ethical hackers how to report a vulnerability in your products or services. It defines what is in scope, what is out of scope, how to submit a report, the response timeline they can expect, and the legal protections you offer for good-faith testing.
Indian businesses without a VDP typically experience one of three failure modes: (1) the researcher cannot find a way to contact security and gives up, (2) the researcher emails sales or support and the report dies in a ticket queue, or (3) the researcher publishes the vulnerability publicly because the business did not respond. Each is worse than having a VDP. The cost of writing and publishing one is low. The cost of not having one shows up in regulator complaints, customer questionnaires, and the occasional Twitter thread.
VDP vs Bug Bounty: Different Programmes
A VDP is a free, always-on channel for receiving vulnerability reports. There is no monetary reward for the researcher. The business commits to triage, acknowledge, fix, and (often) credit the researcher publicly if they choose.
A bug bounty is a paid programme, usually run on a platform like HackerOne, Bugcrowd, Intigriti, or Synack. Researchers receive monetary rewards based on a bounty table tied to severity. Bug bounty without a VDP underneath is a mistake: many researchers will not report through a paid platform and the platform's scope is often narrower than what the business actually wants to receive.
Most mature Indian SaaS firms publish both: a public VDP at /security (free, broad scope) and a private or invite-only bug bounty (paid, focused scope) on a platform. This combination captures the long tail of reports and pays for the high-quality work.
Need a Pentest Engagement?
Codesecure runs manual, OSCP-led VAPT for Indian businesses across web, API, mobile, network, cloud, AD, IoT, wireless and thick client. ISO/IEC 27001:2022 certified delivery with named consultants and a free retest within 90 days.
See Pentest Services →What a VDP Document Should Contain
A complete VDP covers eight components. Each section is short and direct; the goal is a document a researcher can read in five minutes and immediately know how to act.
- Scope: which products, domains, IP ranges, mobile apps, APIs and binaries are in scope
- Out of scope: third-party services, physical security, social engineering, DoS, automated scanning, what is explicitly off-limits
- How to submit: email address (typically security@yourdomain), PGP key, web form, or platform link
- What to include in a report: vulnerability description, affected URL or endpoint, steps to reproduce, impact, suggested remediation
- Response timeline: acknowledgement window (24 to 72 hours), triage window (5 working days), resolution target (varies by severity)
- Safe harbour: legal protection for good-faith testing within scope
- Acknowledgement: how and when researchers will be credited (hall of fame, CVE assignment, public acknowledgement)
- Coordinated disclosure terms: requested disclosure window (typically 90 days), what happens if a fix takes longer
Safe Harbour: The Section That Actually Matters
Safe harbour is the single most important section of a VDP. It is the explicit, written promise that your business will not pursue legal or technical action against a researcher who follows the policy in good faith. Without this section, every researcher considering a report has to weigh the legal risk of testing your systems against the public good of reporting. Most rational researchers, given that choice, walk away.
Recommended wording (adapt with your own legal team): 'If you make a good faith effort to comply with this Vulnerability Disclosure Policy during your security research, we will consider your research to be authorised, will work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorisation known.'
Safe harbour is bounded. It does not authorise actions outside scope, attacks on third parties or on production data, disruption of services, or violation of privacy laws. The policy makes these boundaries explicit.
Indian Regulatory Context
Several Indian regulatory frameworks now expect a documented VDP or equivalent. CERT-In Vulnerability Note Database guidance and responsible disclosure expectations apply to vendors of software widely deployed in India. The RBI Cyber Security Framework expects regulated banks and NBFCs to have a documented process for receiving and acting on external vulnerability reports. SEBI has similar expectations for stock exchanges, depositories and registered intermediaries. The DPDP Act 2023 Section 8 reasonable security safeguards obligation broadly covers having a vulnerability management process that includes external inputs.
Customer security questionnaires, especially from international parents and enterprise customers, increasingly include 'do you have a published VDP' as a checkbox question. A simple yes with a URL is a substantial uplift in customer trust.
Stuck on Scope or Compliance Pressure?
Whether you need pentest for SOC 2, ISO 27001, RBI, a customer questionnaire or pure proactive testing, our VAPT lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to a Pentest Lead →Sample VDP Template Structure
Below is the structure of the template Codesecure provides to customers. Each section is 100 to 250 words in the actual document, so the full VDP is typically 2 to 4 pages.
- 1. Introduction and Purpose
- 2. Scope (domains, products, mobile apps, APIs)
- 3. Out of Scope and Prohibited Activities
- 4. How to Submit a Report (security@, PGP key, web form)
- 5. What to Include (reproduction steps, impact, affected component)
- 6. Our Commitments (acknowledgement timeline, triage timeline, fix timeline by severity)
- 7. Safe Harbour Statement
- 8. Coordinated Disclosure Terms (90-day default, fix extensions)
- 9. Recognition and Hall of Fame
- 10. Contact and Updates (last reviewed date, version)
Operating the Programme Day to Day
Publishing a VDP is the start, not the end. Day-to-day operations need a triage owner (usually within the security team), an SLA for acknowledgement, a triage rubric that mirrors the published timeline, an escalation path inside engineering, a tracker (Jira, Linear, GitHub Issues) for each accepted report, and a closure workflow that includes researcher communication when the fix ships.
Many Indian businesses that publish a VDP and then under-resource it end up worse off than businesses without one. The published commitments must match what the team can actually deliver. A 24-hour acknowledgement promise is meaningless if the inbox is monitored only on weekdays during business hours. Be conservative in the published SLA and over-deliver in practice.
Frequently Asked Questions
Do we legally need a VDP in India?
Not statutorily required as a single named obligation today, but practically expected. RBI and SEBI regulated entities, government suppliers, and enterprise vendors increasingly need a documented VDP for customer questionnaires and audit evidence. DPDP Act Section 8 reasonable security safeguards is broadly interpreted to include having a documented vulnerability intake process.
Is publishing a VDP risky? Won't it invite more attacks?
No. The researchers who find vulnerabilities will find them whether you have a VDP or not. The VDP determines what happens after they find one. The choice is between a private report you can act on, or a public disclosure (or worse, silence) that costs you more. Every mature security programme publishes a VDP.
Should we use a platform like HackerOne or Bugcrowd?
For VDP, a simple email plus a static page is enough to start. For bug bounty (paid), a platform reduces operational overhead, provides triage support, and gives access to a researcher community. Many Indian SaaS firms run VDP in-house and bug bounty on a platform, which is a sensible split.
How much does it cost to set up a VDP?
The VDP document itself costs nothing beyond a few hours of work plus a legal review of the safe harbour wording. The ongoing cost is in the security team's time to triage and respond to reports. Codesecure helps customers establish VDPs as part of our compliance and security programme work.
Can Codesecure help us write our VDP?
Yes. We provide a template, help adapt it to your scope and product mix, review the safe harbour wording with your legal team, and help establish the triage process. Often this is a small add-on to an ISO 27001 or SOC 2 readiness engagement, where the VDP is one of the documented controls.
Publish a VDP The Industry and Your Customers Trust
Codesecure helps Indian SaaS, fintech and enterprise customers establish ISO/IEC 29147 aligned Vulnerability Disclosure Policies with researcher-friendly safe harbour wording. ISO/IEC 27001:2022 certified delivery, included as part of compliance programmes or as a standalone deliverable.
