To set up an Essential VDP, you’ll need to create a vulnerability disclosure page on your website and link it to the HackerOne inbox via an embedded form or email forwarding. The vulnerability disclosure page should be short, simple, and inviting. VDPs are well-defined by industry norms and standards, which minimizes the boilerplate text you need to provide.
Follow this guide to set up a successful page for your website.
Creating a Vulnerability Disclosure Page
The page should address three main aspects:
A warm invitation to send along any vulnerability discoveries: Set a positive and welcoming tone.
The vulnerability reporting mechanism: Communicate how external parties can report their findings to you. We recommend embedding our vulnerability submission form to make submitting a report as accessible as possible. Alternatively, you can list an email address and configure it to forward to your Essential VDP inbox.
Any unique aspects of your organization: This is usually not necessary, but important clarifications may occasionally be necessary. This could include clarifying assets that your organization does not host or own and, therefore, cannot authorize testing on.
You can skip some topics on your page as industry norms and standards already cover them. This includes disclosure practices, safe harbor, safe testing procedures, and the types of findings that typically have no impact.
Please make sure the vulnerability disclosure page is easy to find on your website. We recommend hosting it no more than two clicks away from your homepage. If available, we recommend using www.[yourdomain].com/security and linking to this page from your website’s footer menu. We also recommend serving a security.txt file in the standard location.
For an example of what this page could look like, please take a look at Logitech’s VDP.
Vulnerability Disclosure Page Template
Once you start creating your vulnerability disclosure page, we recommend using the following template as a foundation for the page:
Vulnerability Disclosure Guidelines
We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.
Adhering to industry standards is important to us, and our program is covered by Coordinated Vulnerability Disclosure, Safe Harbor, Open Scope and Core Ineligible Findings, and Detailed Platform Standards.
[Embed the HackerOne submission form here -OR- Provide a security@ email that is set up to forward to your HackerOne inbox]
Vulnerability Reporting Mechanism
Next is the vulnerability reporting mechanism(s). This is how you’ll receive vulnerability submissions.
Complete the in-platform VDP onboarding checklist to configure your intake mechanisms.
Your Essential VDP has two intake methods that can be used independently or jointly:
The embedded submissions form allows the external reporter to fill out pre-defined fields and submit the form, which will populate a report in your HackerOne inbox.
The embedded submissions form supports anonymous submissions. Allowing anonymous submissions from external parties is a requirement in certain jurisdictions where VDPs are mandated.
You can configure an email address, such as security@yourdomain.com, to forward into your HackerOne inbox.
This intake method leverages email and does not support anonymous submissions.
We recommend using the embedded submissions form on your new vulnerability disclosure page. Email forwarding can be configured as a secondary or backup intake method.
After completing these steps and publishing your new vulnerability disclosure page with reporting guidelines and an intake mechanism, your VDP will be active and ready to accept submissions from hackers.
Following Industry Standards
The HackerOne Essential VDP product is standardized so that you can be confident you are meeting emerging regulations and so that participants are confident in reporting vulnerabilities to you. These standards will all apply:
FAQ
I am stuck in my Essential VDP setup. Where can I reach out for help?
Essential VDP doesn’t include dedicated support, but you can still reach us at vdp@hackerone.com. We’ll do our best to respond quickly.
How can I deactivate my Essential VDP?
To stop receiving vulnerability reports from your Essential VDP, remove the submission form from your vulnerability disclosure page and disable email forwarding. If you want to deactivate your account completely, please contact vdp@hackerone.com with the request.
How can I determine what compliance or regulatory frameworks apply to my business?
Please check out the Global Vulnerability Disclosure Policy Map.
Are Essential VDPs publicly listed on HackerOne?
No, the Essential VDP offering does not include public listing in the HackerOne directory. If you would like to increase your program’s visibility and be featured in the directory, explore upgrading to our Professional offering.