A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# As a nonprofit, our options are limited, and as such we unfortunately do
# not have a bug bounty program.
# 
# However, we are thankful for responsible disclosure and, depending on
# the report and its impact, can credit e.g. during one of our infra
# meetings for good work done.

# Please use the following address for responsible disclosure of
# vulnerabilities affecting this website and other online services
# managed by The Document Foundation.
Contact: mailto:hostmaster@documentfoundation.org

# The above address is not a suitable venue for security issues
# related to the LibreOffice *software* -- for such issues please see
# https://www.libreoffice.org/about-us/security/ .

# Please also note that our somewhat lax SPF and DMARC policies are
# *intentional*, as their mere presence does suggest.  Please don't
# send "vulnerability reports" or bounty requests about these.