A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# We haven't fully implemented security.txt yet, please find the most critical info below:
# Our security address
Contact: mailto:security@cksource.com
Preferred-Languages: en
Canonical: https://ckeditor.com/.well-known/security.txt

# Alternatively, go to https://ckeditor.com/contact/ and select "Technical support and security issues".
# Make sure to provide as much details as possible.
# Please do not disclose publicly any security issues until we fix them and publish security releases.
# As soon as we receive the security report, we'll work ASAP to confirm the issue and then to provide a security fix.
# As a thank you, we always give kudos to the reporter, mentioning your name, link to a company name, Twitter account,
# whatever thing you like, in a blog post and the changelog file. Just make sure to let us know if, and how, we can mention you.