A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Thank you for reporting security issues to the Indybay collective! We
# would be happy to publicly acknowledge your contribution to Indybay
# and its users.
# 
# Note, as an anti-spam measure, you may receive a confirmation
# auto-response to which you must reply, otherwise Indybay will not
# receive your email.
Contact: mailto:indybay@lists.riseup.net
Contact: https://www.indybay.org/contact
Expires: 2038-01-19T03:14:07.000Z
Canonical: https://www.indybay.org/.well-known/security.txt