A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@yourdomain.com
Contact: https://yourdomain.com/security
Expires: 2026-12-31T23:59:59.000Z
Encryption: https://yourdomain.com/pgp-key.txt
Preferred-Languages: en, de
Policy: https://yourdomain.com/security-policy
Hiring: https://yourdomain.com/careers

# Security Policy

We take security seriously. If you discover any security vulnerabilities, 
please report them responsibly using the contact information above.

## Reporting Guidelines

1. Please provide detailed information about the vulnerability
2. Include steps to reproduce the issue if possible
3. Allow reasonable time for us to respond and fix the issue
4. Do not publicly disclose the vulnerability until it has been addressed

## What to Report

- SQL injection vulnerabilities
- Cross-site scripting (XSS) issues
- Authentication bypass
- Privilege escalation
- Remote code execution
- Data exposure issues

## Out of Scope

- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Issues in third-party services we don't control

Thank you for helping keep our platform secure!