A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Contact: mailto:email@example.com Encryption: http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x8E141ABD57283D98 #infosec@ Preferred-Languages: en Canonical: https://www.lovecrafts.com/.well-known/security.txt Policy: https://www.lovecrafts.com/security.html Hiring: https://team.lovecrafts.com/ Alt Contact: mailto:firstname.lastname@example.org Alt Encryption: http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x84FAD8EE05EE393C #sysadmins@ We do not currently operate a bug bounty programme. If and when we do this file will be updated. We request that people refrain from using automated tools such as Nessus, Burp, OWASP ZAP against our production sites, as it is important to maintain our services' availability. We have those tools too, please do not mail us automated reports. Whilst we admire researchers enthusiasm and appreciate notifications, to protect your valuable time and ours please *DO NOT* contact us with the following: * Assumed vulnerabilities based upon version numbers only * Authentication bypasses that require access to software/hardware tokens * Attacks that require social engineering (phishing) * Clickjacking attacks without a documented series of clicks that produce a vulnerability * Content injection, such as reflected text or HTML tags * CSRF for non-significant actions (logout, etc.) * Denial-of-service attacks or issues related to rate limiting * Missing HTTP headers, except as where their absence fails to mitigate an existing attack * Self-XSS * Spam (and issues related to SPF/DKIM/DMARC) * Vulnerabilities that only affect a specific browser * Vulnerabilities that require access to passwords, tokens, or the local system * Vulnerabilities discovered shortly after their public release -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2Ow6r7Bv8eIt7O8SjhQavVcoPZgFAl9R9FgACgkQjhQavVco PZi7mg//V5yxV5NF5smeRw/BO2T/YsQ2gsoFzbpysgw3lHLeWHhcUZFrRuZkGrWL jDcmdGlCI9/slGYLDg/jY5mTxHgwm6zx56t9DhDndajDP5X0a/YMuJCzTTvSsSTD WcDmy8ONpTIxeZaMP3U7fGn68j4SlSJT5Rj6xR7Yrjw8vPCbInYHuOH4yItJhV1V uVl9Hl2kr4zPs7goMUmbCoHGbByyiI403MUNUJzzPs/T/92GlAnK+Hr+DLSWQ8LT lJKumDmEll9jYbrWfg9+wvlkd1P0m/F0XdjFQxmtRur96RapjkpbFATPOOjXLKhE 5TGoQj1eCYdOeZKTsAJkj9UI5k8ZUmxwteE+TBSpRjwlGxngk1ZKVyNOXrFFn28A 2eAlvG+lTXg1N8cshLdZMCnUFdQsCxMzNtmJsYR0+PzLtMpU2c/fgMxVK3/1K7Fm 1HvD9mq+R86/B73IhByx0rpXTTjYRQNh/qoamb4lqfO4zzUlS8fu1dzbu7nvN1v7 SiOTe7HodI8ZXBP0hjNgJ5ZeAhV1TvtnFV7xSA8gh+sVhVUH5zPN7tB3ZwP9kMIM W36HEDuWOTu1iD9J+NeIJ9GtA7hdT9fBcrbwXCQn1d8lE59rc+lUMaI8nlHoSUjg rQNBXHfisANg4nRSRLPI+33nhxrZ3mMAjNjJZUTxXS9Xol/O/Xk= =WACb -----END PGP SIGNATURE-----
This policy crawled by Onyphe on the 2021-05-04 is sorted as securitytxt.