VDP Widget
A Vulnerability Disclosure Policy (VDP) is a public page on your website that tells security researchers how to responsibly report vulnerabilities they find in your systems. Catchify provides an embeddable widget that makes it easy to add a professional, branded VDP page to your website in minutes.
What is a VDP?
A Vulnerability Disclosure Policy publicly communicates that your organization:
Welcomes responsible security research
Has a clear process for receiving and handling vulnerability reports
Will not take legal action against researchers who follow the policy
Is committed to maintaining secure systems
Many international standards and regulations (including ISO 27001 and SAMA guidelines) recommend or require organizations to have a VDP in place.
A VDP is different from a bug bounty program. A VDP is a policy for responsible disclosure -- it does not necessarily involve financial rewards. However, the two can work together: your VDP can direct researchers to your Catchify bug bounty program.
Setting Up the VDP Widget
Step 1: Configure Your Policy
Navigate to Integrations in the main menu
Find the VDP Widget card and click Configure
Customize your policy settings:
Organization name -- Your company name as it should appear on the widget
Contact email -- The email address for vulnerability reports (you can use your Catchify support email)
Scope -- Describe which systems are in scope for reporting
Response commitment -- How quickly you commit to acknowledging reports (for example, "within 3 business days")
Safe harbor statement -- A statement protecting researchers who follow your policy
Step 2: Customize Appearance
You can customize the look of the widget to match your website:
Theme -- Choose between light and dark themes
Accent color -- Match your brand color
Position -- Choose where the widget appears on your page (embedded or floating button)
Step 3: Add the Widget to Your Website
After configuring your policy and appearance, Catchify will provide a small code snippet to add to your website. Share this snippet with your web development team and ask them to add it to the appropriate page (usually your security page or footer).
The snippet is a single line that loads the widget -- your development team will know what to do with it.
The widget is hosted by Catchify, so it always stays up to date. If you change your policy settings in the portal, the widget on your website updates automatically -- no code changes needed.
What Visitors See
When someone visits your VDP page, they see:
Your organization name and branding
The scope of systems covered by the policy
Clear instructions on how to submit a report
Your response time commitment
The safe harbor statement
A submission form for reporting vulnerabilities
Reports submitted through the VDP widget are routed through Catchify and appear in your portal alongside your bug bounty reports, so you can manage everything in one place.
Benefits of a VDP Widget
Professional presentation
Shows security researchers that your organization takes security seriously
Centralized management
Reports come through Catchify alongside your other security findings
Compliance
Helps meet regulatory requirements for responsible disclosure policies
Easy maintenance
Update your policy from the Catchify portal -- changes appear on your website automatically
Branding
Customizable appearance matches your website design
Managing Your VDP
After setup, you can update your policy at any time from the Integrations page:
Edit policy text -- Update scope, response commitments, or contact information
Change appearance -- Adjust colors, theme, or positioning
View submissions -- Reports from the VDP widget appear in your Bug Bounty reports section
Disable widget -- Temporarily hide the widget from your website
If you disable the VDP widget, the code snippet on your website will show nothing. Remember to remove the snippet from your website if you no longer want the widget, or re-enable it in the portal to make it visible again.
Last updated