A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Contact: mailto:siem@comfy.ua
Expires: 2027-12-31T06:00:00.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/728795938EFC0B71AE1CF50C8316E990ED773D19
Preferred-Languages: en, uk
Canonical: https://comfy.ua/.well-known/security.txt

# Follow this limitation of proof of concepts:
#  Nothing spam and social engineering techniques
#  Do not playing with Denial-of-service attacks
#  For XSS, a simple alert(document.domain) should suffice
#  For RCE, please only execute harmless code
#  For SQLi, report it as soon as you have SQL errors that indicates SQL injection
#  For unvalidated redirects, set the redirect endpoint to http://example.com if possible
#  For CSRF, do not go playing around on any internal networks
#  For LFI, do not go playing around with any internal files

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRyh5WTjvwLca4c9QyDFumQ7Xc9GQUCZshUjAAKCRCDFumQ7Xc9
GfZ4AP0fWHG71cI2iS43DNdLUDIuQVr8p3x+O5hJ6A8nqD/CHwD/Y1PUcelpdx2m
Qbt9xYBwNjJt7iWch2psTrWUlZyrPQM=
=NSYL
-----END PGP SIGNATURE-----