A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# security.txt, as per RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116.html)

# Please note, this security.txt file is for IRF Uppsala (irfu.se),
# and our other sites and public code (*.irfu.se, github.com/irfu/).
# Should you find any issues at our headquarters IRF Kiruna (irf.se) then
# please have a look at their security.txt file
# https://www.irf.se/.well-known/security.txt

# Rewards (bounty) only in form of acknowledgements
Acknowledgments: https://www.irfu.se/security-acknowledgments.txt

Canonical: https://www.irfu.se/.well-known/security.txt

# Our security contact info
Contact: mailto:security@irfu.se
Contact: mailto:jan.karlsson@irfu.se
Contact: mailto:thomas.nilsson@irfu.se
Contact: tel:+46-18-471-59-43

# PGP key
# (Thomas Nilsson, full fingerprint and URL)
Encryption: openpgp4fpr:13bb98dcf1836dfa0235b70d9c09781fc6ac9cca
Encryption: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9c09781fc6ac9cca

# Languages (English or Swedish)
Preferred-Languages: en, sv

# Expire less than a year into the future, ISO 8601 format (YYYY-MM-DDThh:mm:ss) 
Expires: 2024-05-02T10:30:00Z

# All IRF (& IRFU) vacancies (not specifically security related) are adverticed on this page
# Hiring: https://www.irf.se/en/about-irf/vacancies/