A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# This is the New Zealand Ministry of Health - Manatū Hauora.
# If you discover a security vulnerability on one of our websites
# or online services, please contact us.

# Our responsible disclosure guidelines:
Policy: https://www.health.govt.nz/about-this-site/responsible-disclosure-guidelines

# Note that the Ministry of Health is a separate agency
# from Health New Zealand - Te Whatu Ora, though we work closely together
# in many areas.
# Health New Zealand has published its own Privacy and Security advice.
# https://www.tewhatuora.govt.nz/about-our-site/privacy-and-security/

# The Ministry of Health IT Security email address, and the expiry date for this file.
Contact: vulnerability-disclosures@health.govt.nz
Expires: 2025-11-30T23:00:00.000Z