A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Contact: mailto:infosec@cfsbrands.com
Encryption: https://keybase.io/cfsbrands/pgp_keys.asc 
Preferred-Languages: en
Canonical: https://www.cfsbrands.com/security.txt
Hiring: https://recruiting.adp.com/srccar/public/RTI.home?c=2171907&d=ExternalCareerSite-CFS
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.3
Comment: https://keybase.io/crypto

wsBcBAABCgAGBQJeMbUIAAoJEKdNor90IB6dR9sH/07t4pOyJetfNXp4kLcpPD4N
qxq5n7e47K1K7F6a6oixFVwsl36/HLqyVsgWZs9uHM2aYzBuqfWuhfwctii/CsD7
bVXJCjnrz9VoukU/8FMHvrLa+xeHT22OIT/w9hOxY8Z5ZOtJSvFLKQl+xxT3msbB
xjMVNAj63vuhSh1xLF6gZxcx6fdvI0kfZGdfh9g3mUKK5g4I21kYfxe0mM7pu0NQ
FM9NZ5FUJ1M5hoJ3gTro8RQZk5BbmpGnhtAAK/PNCOxRTXEKNdGxZaxx4prf5d70
ImxvwjfwAmPb63DeW1Dn0FKXWMJXeOeV4fjOMPBInp7cgllTkA/8io312nt7fU8=
=2E2k
-----END PGP SIGNATURE-----