A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@example.com
Expires: 2025-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://yourapp.com/.well-known/security.txt

# Security Policy

## Reporting Security Vulnerabilities

If you believe you have found a security vulnerability in our application, 
please report it to us by emailing security@example.com.

## Scope

This security policy applies to:
- The main application at https://yourapp.com
- All API endpoints
- User authentication systems
- Payment processing functions

## What we consider in scope:
- SQL Injection
- Cross-Site Scripting (XSS)
- Authentication bypass
- Data exposure
- Server-side request forgery (SSRF)
- File upload vulnerabilities

## Out of scope:
- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Issues in third-party services

## Response Timeline

We aim to respond to security reports within 48 hours and provide 
regular updates on the investigation progress.

Thank you for helping us keep our users safe!