A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Campaign Monitor security contacts and policy

# Where this file should be found, if found somewhere else it's not valid.
Canonical: https://www.campaignmonitor.com/.well-known/security.txt
Canonical: https://xxx.createsend.com/.well-known/security.txt

# Our security contact channels
Contact: https://www.campaignmonitor.com/trust/report-a-vulnerability/
Contact: mailto:campaignmonitor@submit.bugcrowd.com

# Link to our vulnerability disclosure policy
Policy: https://www.campaignmonitor.com/policies/

# Languages that our team speaks and understands
Preferred-Languages: en-US

# When this information is considered stale.
Expires: 2024-06-20T05:00:00.000Z