A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# This is the security.txt file applicable to the ELCA Group
# We do not have a formal Bug Bounty program yet, but we
#   appreciate and assess the value of all vulnerability
#   reports on a case-by-case basis

# Can be used for vulnerabilities and incidents
Contact: mailto:security@elca.ch
Contact: mailto:privacy@elca.ch
Contact: https://www.elca.ch/en/contact

# This file is reviewed every 12-15 months
Expires: 2025-12-16T13:54:07Z
Preferred-Languages: en, fr, de

# This file can be retrieved from our main site. Other websites will redirect here
Canonical: https://www.elca.ch/.well-known/security.txt

# Feel free to encrypt - ECC/Curve25519 : 4E4C B08F 5299 A75C 783E  6B5D EA1B 33F7 9BF3 4B06
Encryption: https://www.elca.ch/.well-known/elca-pgp-key.txt

# We often have security-related positions available
Hiring: https://careers.elca.ch
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQROTLCPUpmnXHg+a13qGzP3m/NLBgUCZ2GCkQAKCRDqGzP3m/NL
Bk9sAQDob0EjiDO+iab59cQLSHle5tEewLq3udNiQE/95bZYmAEA3PtL1eMbJaIL
N0vc0HMqxY6rTSUDp2BtLbGyDQR5kgw=
=kKd2
-----END PGP SIGNATURE-----