# VDP vs Bug Bounty

If you are exploring ways to improve your organization's security posture, you have likely come across two terms: **VDP** (Vulnerability Disclosure Policy) and **Bug Bounty Program**. Both help you receive vulnerability reports from security researchers, but they work quite differently. This page breaks down what each one is, when to use it, and how they can work together.

## What is a VDP?

A **Vulnerability Disclosure Policy** is a public statement on your website that tells security researchers:

* That your organization welcomes responsible security research
* How they should report vulnerabilities they discover
* What they can expect after submitting a report (response times, process)
* That they will not face legal action for following the policy

Think of a VDP as an open door -- it gives researchers a safe, structured way to let you know about security issues they find. There are no monetary rewards involved; researchers report vulnerabilities out of goodwill, professional responsibility, or for public recognition.

Catchify provides a [VDP Widget](https://docs.catchify.sa/catchify-platform-documentation/integrations/vdp-widget) that you can embed directly on your website. It gives you a professional, branded disclosure page in minutes -- no development work needed beyond adding a small code snippet.

{% hint style="info" %}
Many international standards, including ISO 27001 and SAMA guidelines, recommend or require organizations to have a vulnerability disclosure policy in place. A VDP helps you meet these requirements.
{% endhint %}

## What is a Bug Bounty Program?

A **Bug Bounty Program** is a paid program where security researchers are financially rewarded for finding and reporting vulnerabilities in your applications. You define the scope (which systems can be tested), set reward amounts based on severity, and Catchify's community of vetted researchers gets to work.

The key difference is the financial incentive. Because researchers are paid for valid findings, bug bounty programs attract more skilled and motivated researchers who dedicate real time and effort to testing your systems.

With Catchify, your bug bounty program is fully managed:

* The Catchify team triages every submission before it reaches you
* Duplicate, false positive, and out-of-scope reports are filtered out
* Researcher communication is handled on your behalf
* Rewards are paid from your [Wallet](https://docs.catchify.sa/catchify-platform-documentation/quotes-and-invoices/wallet-and-payments) balance

## Side-by-Side Comparison

|                           | **VDP**                                         | **Bug Bounty Program**                                   |
| ------------------------- | ----------------------------------------------- | -------------------------------------------------------- |
| **Purpose**               | Provide a responsible disclosure channel        | Incentivize researchers to actively find vulnerabilities |
| **Rewards**               | No monetary rewards                             | Paid rewards based on severity                           |
| **Researcher motivation** | Goodwill, recognition, responsible disclosure   | Financial incentive plus recognition                     |
| **Who participates**      | Any researcher who finds an issue               | Vetted researchers invited to your program               |
| **Testing approach**      | Researchers report issues they happen to find   | Researchers actively and continuously test your systems  |
| **Volume of reports**     | Lower -- researchers report opportunistic finds | Higher -- financial incentive drives dedicated testing   |
| **Managed by Catchify**   | VDP Widget hosted and maintained for you        | Full management: triage, communication, and payouts      |
| **Cost to you**           | No reward costs                                 | Reward costs based on findings (pay for results)         |
| **Best for**              | Organizations starting their security journey   | Organizations wanting continuous, incentivized testing   |
| **Compliance**            | Meets VDP requirements (ISO 27001, SAMA)        | Goes beyond compliance with proactive security testing   |

## Which One Should You Choose?

**Start with a VDP if:**

* You are beginning to formalize your security program
* You want a responsible disclosure channel without a budget commitment
* You need to meet compliance requirements that call for a disclosure policy
* You want to signal to the security community that you take security seriously

**Add a Bug Bounty Program if:**

* Your applications are customer-facing and constantly evolving
* You want dedicated, continuous security testing from skilled researchers
* You are ready to allocate budget for security findings
* You want to go beyond compliance and proactively identify vulnerabilities
* Your team prefers to focus on fixing issues rather than managing testing

## Using Both Together

Many Catchify clients use a VDP and a bug bounty program together, and we recommend this approach for organizations that are ready for it. Here is how they complement each other:

1. **Your VDP** serves as the public-facing policy on your website. It tells any researcher who comes across your systems how to report issues responsibly.
2. **Your Bug Bounty Program** is your private, incentivized testing channel. Vetted researchers are actively invited to test specific applications within a defined scope.

Reports from both channels are managed through your Catchify portal, so you have a single view of all incoming vulnerability reports regardless of how they were submitted.

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-vdp.png?alt=media" alt="VDP Widget integration tab in the Catchify portal"><figcaption><p>Both VDP and Bug Bounty reports are managed from your Catchify portal</p></figcaption></figure>

{% hint style="success" %}
Not sure which approach is right for your organization? Talk to your Catchify account manager. We will help you assess your needs and recommend the best path forward -- whether that is starting with a VDP, launching a bug bounty program, or both.
{% endhint %}

## Next Steps

* **Set up a VDP:** See [VDP Widget](https://docs.catchify.sa/catchify-platform-documentation/integrations/vdp-widget) to embed a disclosure policy on your website
* **Launch a Bug Bounty Program:** See [What is Bug Bounty?](https://docs.catchify.sa/catchify-platform-documentation/bug-bounty-program/what-is-bug-bounty) to learn more, or contact your account manager to get started
* **Manage rewards:** See [Wallet & Payments](https://docs.catchify.sa/catchify-platform-documentation/quotes-and-invoices/wallet-and-payments) to understand how bug bounty rewards are funded