A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Contact information to use for reporting vulnerabilities
Contact: mailto:security@cert.br

# Link to a key to be used for encrypted communication
Encryption: https://cert.br/pgp/CERTbr.asc

# List of preferred languages for security reports
Preferred-Languages: en, pt-br

# Date and time after which this file is considered stale
Expires: 2027-01-15T23:59:00Z

# EOF
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQTlqD5ef7L0SPcuSsdivmDc2lVuiAUCaWUZ6AAKCRBivmDc2lVu
iA4WAQCnsU1l4+AU9xz2QeseKzw+FfA9fyTCxxj9XdGGJwmM5QD/Zr7F1g2YJRSs
1JhjHdpVqb6oOmsBw3fj8zrf6da2qAM=
=rL+m
-----END PGP SIGNATURE-----