A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Our security address
	Contact: security@pingidentity.com

Our public openPGP keys
	For artifact signatures:
	https://keys.openpgp.org/vks/v1/by-fingerprint/A913A88FC21AC4E7EB52D44B45E764CA099D3220
	Expires: 3/27/2027

	For encrypting emails sent to Ping:
	https://keys.openpgp.org/vks/v1/by-fingerprint/DDC83F4D96620E2FDB9785E420925A72CF511FC2
	Expires: 12/31/2026

Artifact signature verification with PingIdentity's public PGP key
	Retrieve our public key, import it to your gpg key ring and verify the artifact's signature.
	$ curl https://keys.openpgp.org/vks/v1/by-fingerprint/A913A88FC21AC4E7EB52D44B45E764CA099D3220 | gpg --import
	$ gpg --verify <artifact-name>.zip.asc <artifact-name>.zip

	Alternatively, you can import the public key from either OpenPGP's or MIT's server:
	$ gpg --keyserver pgp.mit.edu --recv-key 0x45E764CA099D3220
	OR
	$ gpg --keyserver keys.openpgp.org --recv-key 0x45E764CA099D3220

	Please note that unless you sign our public key with your private key, signature verification will throw a warning saying "This key is not certified with a trusted signature!" and "There is no indication that the signature belongs to the owner.". If you would like to verify the public key, please don't hesitate to reach out to the email address above. 

	This file has also been signed with the artifact signing key listed above for additional assurance: https://www.pingidentity.com/.well-known/security.txt.asc

More about Security at PingIdentity:
	https://www.pingidentity.com/en/company/security-at-ping-identity.html