# VDP Widget

A Vulnerability Disclosure Policy (VDP) is a public page on your website that tells security researchers how to responsibly report vulnerabilities they find in your systems. Catchify provides an embeddable widget that makes it easy to add a professional, branded VDP page to your website in minutes.

## What is a VDP?

A Vulnerability Disclosure Policy publicly communicates that your organization:

* Welcomes responsible security research
* Has a clear process for receiving and handling vulnerability reports
* Will not take legal action against researchers who follow the policy
* Is committed to maintaining secure systems

Many international standards and regulations (including ISO 27001 and SAMA guidelines) recommend or require organizations to have a VDP in place.

{% hint style="info" %}
A VDP is different from a bug bounty program. A VDP is a policy for responsible disclosure -- it does not necessarily involve financial rewards. However, the two can work together: your VDP can direct researchers to your Catchify bug bounty program.
{% endhint %}

## Setting Up the VDP Widget

### Step 1: Configure Your Policy

1. Navigate to **Integrations** in the main menu
2. Find the **VDP Widget** card and click **Configure**
3. Customize your policy settings:
   * **Organization name** -- Your company name as it should appear on the widget
   * **Contact email** -- The email address for vulnerability reports (you can use your Catchify support email)
   * **Scope** -- Describe which systems are in scope for reporting
   * **Response commitment** -- How quickly you commit to acknowledging reports (for example, "within 3 business days")
   * **Safe harbor statement** -- A statement protecting researchers who follow your policy

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-vdp.png?alt=media" alt="VDP widget configuration page with organization name, email, and scope fields"><figcaption><p>Customize your VDP policy details</p></figcaption></figure>

### Step 2: Customize Appearance

You can customize the look of the widget to match your website:

* **Theme** -- Choose between light and dark themes
* **Accent color** -- Match your brand color
* **Position** -- Choose where the widget appears on your page (embedded or floating button)

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-vdp.png?alt=media" alt="Widget appearance settings showing theme, color, and position options"><figcaption><p>Match the widget to your website's look and feel</p></figcaption></figure>

### Step 3: Add the Widget to Your Website

After configuring your policy and appearance, Catchify will provide a small code snippet to add to your website. Share this snippet with your web development team and ask them to add it to the appropriate page (usually your security page or footer).

The snippet is a single line that loads the widget -- your development team will know what to do with it.

{% hint style="success" %}
The widget is hosted by Catchify, so it always stays up to date. If you change your policy settings in the portal, the widget on your website updates automatically -- no code changes needed.
{% endhint %}

## What Visitors See

When someone visits your VDP page, they see:

* Your organization name and branding
* The scope of systems covered by the policy
* Clear instructions on how to submit a report
* Your response time commitment
* The safe harbor statement
* A submission form for reporting vulnerabilities

Reports submitted through the VDP widget are routed through Catchify and appear in your portal alongside your bug bounty reports, so you can manage everything in one place.

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-vdp.png?alt=media" alt="VDP widget as seen by a visitor on the company website"><figcaption><p>A clean, professional vulnerability disclosure page on your website</p></figcaption></figure>

## Benefits of a VDP Widget

| Benefit                       | Description                                                                                 |
| ----------------------------- | ------------------------------------------------------------------------------------------- |
| **Professional presentation** | Shows security researchers that your organization takes security seriously                  |
| **Centralized management**    | Reports come through Catchify alongside your other security findings                        |
| **Compliance**                | Helps meet regulatory requirements for responsible disclosure policies                      |
| **Easy maintenance**          | Update your policy from the Catchify portal -- changes appear on your website automatically |
| **Branding**                  | Customizable appearance matches your website design                                         |

## Managing Your VDP

After setup, you can update your policy at any time from the Integrations page:

* **Edit policy text** -- Update scope, response commitments, or contact information
* **Change appearance** -- Adjust colors, theme, or positioning
* **View submissions** -- Reports from the VDP widget appear in your Bug Bounty reports section
* **Disable widget** -- Temporarily hide the widget from your website

{% hint style="warning" %}
If you disable the VDP widget, the code snippet on your website will show nothing. Remember to remove the snippet from your website if you no longer want the widget, or re-enable it in the portal to make it visible again.
{% endhint %}