200 reports, 11 valid bugs, 0 critical issues. Here's everything we wish we'd known about VDP.

At is*hosting, we build infrastructure for developers, ops engineers, and product teams. Our users are technical, and some were already…

is*hosting

MeetCyber

· ~3 min read · November 17, 2025 (Updated: November 17, 2025) · Free: Yes

At is*hosting, we build infrastructure for developers, ops engineers, and product teams. Our users are technical, and some were already sending reports through informal channels (thanks, support team). It was time to create a clear, safe path for responsible disclosure.

In July 2024, we launched a Vulnerability Disclosure Program (VDP) on HackerOne — private first, then public.

When we were considering HackerOne, we couldn't find stories like this. There were landing pages, vague claims, and many hacker success stories. Is there some secret place where companies share their side of bug bounty?

If you're in the same place now, deciding how to approach security disclosure and whether it's worth the time and money, we hope this helps.

What it brought us

Over 12 months, we received 200 reports.

11 were accepted as valid. None were critical. And it was still worth it.

We cleaned up small issues, mostly theoretical or only possible through odd combinations of edge cases and misbehavior. Not threats, but useful chances to make systems more predictable and refine internal processes.

Another upside is that security reports stopped landing in support chat or bouncing between people. Everything flowed through a consistent channel visible only to the right folks, and engineers got context from day one.

We used HackerOne Triage to filter submissions — a decision that proved essential, as it turned out. The vast majority were of low effort or AI-generated. Some tried changing front-end values and claimed "balance impact." Others pasted raw scanner logs.

Without triage, we'd have spent far more time on noise than on signal.

What didn't happen, and why we stopped paying

We didn't find any serious vulnerabilities.

The initial spike faded within weeks. After we addressed common scanner targets, the stream settled at 1–3 reports per month. It was mostly shallow, often automated with tools like Burp Suite.

Early on, the main value was the triage team filtering out junk. But at low report volume and quality, the cost became hard to justify.

Paying $1,000+ monthly just to stay listed in the HackerOne directory stopped making sense.

We paused the subscription because it did its job.

We now run a simpler VDP on our site, featuring a clear form and basic instructions. We still invite researchers to report issues.

"But where's the real research?"

We never expected a full security audit from volunteers. That would be naive. And we don't blame researchers for submitting low-effort work to public VDPs, as these platforms often incentivize such behavior.

On HackerOne, building reputation on public programs unlocks access to private, paid ones with real bounties. Public VDPs attract volume, not necessarily quality.

AI makes this worse. It's now trivial to generate large numbers of low-effort reports, hoping a few stick. Daniel Stenberg, creator of curl, called this "AI slop" in his FrOSCon 2025 keynote.

It's a slow-motion DDoS on maintainers that wastes everyone's time. Platforms haven't done much to curb it yet, so teams should be realistic about the signals they'll get and the effort needed to filter them.

What we'd tell others

We do recommend running a VDP, especially if you're building trust. But start with:

A clear, safe disclosure channel (self-hosted or embedded from a platform).
A triage buffer, if platform algorithms will promote your program, the initial spike will be fast and messy.
No monetary rewards unless you're ready to manage the attention they attract.

And we don't recommend starting with public bug bounty programs. Even with triage, your team will spend time reviewing and replying to reports that add little value. If you're not ready for that load, it's more likely to drain resources than improve security.

Additionally, the "best reports arrive in the first 24–48 hours" line you see in platform marketing is simply marketing. We didn't see it.

Final thought

In our case, we confirmed what we hoped: our infrastructure is resilient, our approach works, and our customers can trust the platform they're using.

If you've run your own VDP or bug bounty and the reality didn't quite match the sales pitch, we'd love to hear what you learned.

And if you're curious about how our disclosure process works today, visit our VDP page and take a look at how we handle security reports now.

This story was first published on LinkedIn.

#bug-bounty #bug-bounty-writeup #vdp #vulnerability-disclosure #hackerone