A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Contact: https://hackerone.com/automattic/reports/new
Contact: mailto:security@automattic.com
Encryption: https://automattic.com/security/pgp-key/
Acknowledgements: https://hackerone.com/automattic/thanks
Policy: https://hackerone.com/automattic
Canonical: https://automattic.com/.well-known/security.txt
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYKyypKR9U0RG/Ui2MlnE6I/leIgFAmBCqW0ACgkQMlnE6I/l
eIiFYA//SyDQXh4QA0TR//9G2YWmZtEPro9YfpMps9VawqYPncjKemBso8eZ+75T
0JmS67dvHvBDj8AjqXOkkvsvdVX95AyEcjX+gPnht7Ek5gYxZnerEXhyv4DXaMuu
Zk2YpxCweAEpZbv3zO7Zoy7ZRW8xFeh1ne2GJ+w40tQ6idO7mr3J7wwgNgnvtZfk
Q8B/exNj2VG9KSi832hFXZmwbIrrWHlA14z4l3zrFJAZiA+SjBpDC+kW7Zz+Qqa/
Ljnq+r5bMFaa4tI/9dR63P6qZsQMfgvysdu/ivkSSVxWAYzuJoyupUFqcDfd84R6
9N98tHEpqQMb3kpHfZnU/W/iswrp4abNVmz6T80EvRvyl5n/PIV3c5KrQvCAcriv
Q3bk2o7djwSfUEufb1Y4k/mUEjXPdIf4/36YQe2NysiD8kKxlVcrrLllkwWD0voI
EPpJHetHzHrOhp9VNfn0Cbg7vuArg6A0iTd2yckusJ0Sm6o/EajS1+WoouRRFb4v
qD6vrJavW+KfAIho5N4Aua6WxxJVGGs66yxvyNbJBKSBymgB4WsD5LgCIbM8I/FG
tg3sQuD8Y7F2wcR+NdoR50b00jXj5WXQyjCu7VVFI9Qu31pvNcHgENu3NBVzapC8
1ztU7zTCC6B3jOY2GzLOsuBvmjJWUaPBwh/g+Mea5KFxuDNv9RU=
=N2B0
-----END PGP SIGNATURE-----