A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security(at)rensystems.com
Security Partner: team(at)compass-security.com

# If you’ve found noteworthy vulnerabilities and are open to sharing what you found,
# we’d certainly appreciate it. We will consult with our security partner regarding
# bug bounty – we’re a small early-stage startup and don’t yet have a dedicated
# bug bounty program, so we can’t commit upfront to specific rewards.
#
# That said, if you’ve found real vulnerabilities and are open to sharing them,
# we’re happy to collaborate on those findings.
#
# Best,
# Ren Systems Team