Managed Vulnerability Disclosure Program

A Managed Vulnerability Disclosure Program (Managed VDP) is a fully managed process that allows organizations to receive vulnerability reports from ethical hackers in a safe, structured, and legally protected way.
WebSec creates your Responsible Disclosure Policy, includes safe harbor clauses, defines the scope, and facilitates the entire reporting process from triage to final reporting.

A Managed VDP helps to:

• Detect and fix vulnerabilities quickly
• Increase trust with customers, partners, and researchers
• Meet compliance requirements such as ISO 27001
• Reduce legal risk through clear guidelines and safe harbor clauses

1. Tailored Policy – We create a professional Responsible Disclosure or VDP policy, customized for your organization.
2. Publication – You receive a ready-to-use link and reporting form for your website.
3. Validation & Triage – We review reports for relevance, reproducibility, and completeness.
4. Resolution & Retesting – We guide prioritization, remediation, and retesting of vulnerabilities.

• €100/month – when combined with a WebSec pentest
• €200/month – without pentest
• +€25/month per additional policy – e.g., for extra entities or applications
• No limit on the number of domains in scope

• Bugcrowd: ± €920–€1.380/month
• HackerOne: ± €1.150–€3.860/month
• Zerocopter: starting from €1.000/month (can go up to €5.000/month)

• Standard VDP: The organization manages the policy, communication, and follow-up internally.
• Managed VDP: WebSec handles the policy, triage, reporting, and researcher coordination, reducing workload for your internal team.

By including safe harbor provisions in the policy (legal indemnification), ethical hackers who follow the rules are legally protected. This prevents misunderstandings and reduces liability risk.

Yes, we facilitate worldwide participation via a public policy and reporting form.
Note: Reports from sanctioned countries are not accepted.

1. Acknowledgement – automatic confirmation to the researcher
2. Assessment – check for relevance, reproducibility, and completeness
3. Classification – prioritize based on impact and likelihood
4. Reporting – only validated reports are sent to the client

Yes, you can expand the scope at any time. We update the policy and reporting form at no extra cost. Additional policies are €25/month each.

WebSec aims to triage and report within 1–3 business days. Critical vulnerabilities are always prioritized.

We guide the full remediation process, including researcher communication, solution advice, and retesting after the fix.

Yes, our reports are structured to support ISO 27001 audits, security assessments, and compliance documentation.

Yes, many clients combine a Managed VDP with our Security Subscription, where the policy is already included. This creates a complete security program.