A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Our email address for reporting suspected security issues
Contact: security@chadis.com

# Our PGP key is available here. Please encrypt all communications regarding
# suspected security issues or vulnerabilities.
Encryption: https://www.chadis.com/security.pgp.txt

# Disclosure Statement
# CHADIS strives to be as transparent as possible when it comes to security
# issues. We ask that researchers and others practice "responsible" or
# "coordinated" disclosure of any security issues with CHADIS in order to
# protect our clients and their data.
#
# If you wish to investigate potential security issues with a CHADIS product,
# please contact us at our contact address above to request whatever level
# of access you require in order to make your investigations in the
# appropriate environment (e.g. a testing environment).
#
# If you submit a report of a potential security issue to CHADIS, you
# should expect to receive a confirmation of the report within 24 hours. If
# you do not receive a receipt confirmation, please reach out to us again.
#
# After notifying you of our receipt of your report, we will perform an
# initial investigation of the report and reply within 24 hours with
# an opinion about the report. The "opinion" will likely fall into one of
# several categories: (a) not considered a bug (where the reported behavior
# is expected), (b) not a bug in CHADIS (such as a bug in another component
# such as a web browser), or (c) a confirmed security issue.
#
# In the event that CHADIS confirms a security issue, we will likely ask you
# to delay any publication of the reported issue until CHADIS has had a
# reasonable chance to address the issue and notify our customers
# (if appropriate).
#
# Once addressed, you are free to publish the results of your investigations
# and CHADIS will include an acknowledgement of your report on our
# acknowledgements page. For certain types of security issues, we may ask that
# you do not publish complete details of the vulnerability. Any such requests
# will be made by CHADIS specifically in writing and we will provide a
# justification for any such requests.