A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Security Policy for NJOFA
# This file follows RFC 9116 standard for security.txt

# Primary contact for security issues
Contact: mailto:security@njofa.com

# When this security policy expires (1 year from now)
Expires: 2026-12-12T23:59:59.000Z

# Preferred languages for security communications
Preferred-Languages: en, fr

# Canonical URL for this security.txt file
Canonical: https://njofa.com/.well-known/security.txt

# Link to detailed security policy
Policy: https://njofa.com/security-policy

# Scope of this security policy
Scope: This policy covers all NJOFA services, applications, and infrastructure.

# Response time commitment
Response-Time: We commit to respond to security reports within 24 hours and provide updates every 48 hours until resolution.