A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# City Stow Security Policy
# RFC 9116 Compliant - https://securitytxt.org/
# Last generated: 2026-01-01T03:38:58Z

Contact: mailto:security@citystow.com
Expires: 2026-04-01T03:38:58Z
Encryption: https://citystow.com/.well-known/pgp-key.txt
Preferred-Languages: en
Canonical: https://citystow.com/.well-known/security.txt
Policy: https://citystow.com/security
Acknowledgments: https://citystow.com/security#vulnerabilities
Hiring: https://citystow.com/careers

# Vulnerability Disclosure Program
# We offer monetary rewards for qualifying security reports.
# See our Security Center for details: https://citystow.com/security

# Severity-based bounty rewards:
# Critical: $2,500 - $5,000
# High: $1,000 - $2,500
# Medium: $250 - $1,000
# Low: $50 - $250

# Response Timeline:
# - Initial acknowledgment: 24 hours
# - Severity assessment: 7 days
# - Resolution target: 30 days
# - Public disclosure: 90 days (coordinated)

# Safe Harbor: We will not pursue legal action against researchers
# who report vulnerabilities in good faith through proper channels.