A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Contact: mailto:cirt@a16z.com
Encryption: https://a16z.com/pgp-key.txt
Preferred-Languages: en
Policy: https://a16z.com/security-policy
Expires: 2027-07-15T00:00:00.000Z
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCgAsFiEEAAKRG/3blKs55AHwZHSAnGwrI88FAmaiemUOHGNpcnRAYTE2
ei5jb20ACgkQZHSAnGwrI8+T5w//Qw3P/CG17c/zMNj95ReXx/tAg9qGYa3tJAg/
hf2CgWe7IZQ5mGfq2kVqFf1tBnMJ8mLWeK02lmhoTQ/y9w5KZGjTlhqpdjNolXyV
8WP8oi9V/Vjdz42+ZGN2Ksv89RC8KaD3GnhDNBqsSZktBukz/Nfb5UG7r/JrgHYC
/PvB5J0kvYDnHidvZqHoy7eTdiGWPuJTvuS5j2+jio/3zkvE1CSoguqzsLdpPnSc
iKAO4+Z+NFkQ5iHlW7zPgfdQJh68yJUK0m2yiza4S17xq6tOBXTFM8Fobou4iOBj
xL2hky49mHUloJxmz2ce+anSyK4ZaS28HHTp3ZYhHrkqsUJdPDR6krtMisuANy2e
KPc5AHbQENyCtzcavH6BJZdo6KPg3iKBtMsBpjJF9sFVeWYKkjKNVkfVDkPGzGYW
qw1Zu+lzZr3nq059L7U0BZHzDgjVNxFdPQ3oLe84DEol7ZG7LPQlf6VeYrLjL9ic
0oY5L9tXo/q049CFPOsRbl6qaCMc66NVBlZ54ueWMcM3qTlzdB8UEEGbNNOZL41I
+TL6BvEqlwMrdGdsm4Q2Ib/i2ZzqOQMbF3DBh3OOymMIRkNRe74j4sIQf65Rn9KH
UBKzOmdEvfCchCgNOEd/q+Bv5V4KyI9QO8G265eqWW0pq6/YZkhNZfXVCp4DBfxq
d9TIrVo=
=CV1o
-----END PGP SIGNATURE-----