A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto: vulnerability-report@security.bmg.com
Expires: 2076-01-12T00:00:00.000Z
Preferred-Languages: en
# --------------------------------------------------------- Responsible Disclosure Information ---------------------------------------------------------
#
# BMG Responsible Disclosure Information
#
# Currently BMG does not run a formal bug bounty program and does not reward payouts. You can still report to us.
# Thank you all for your help in keeping us and our customers safe.
#
# What to do to report a vulnerability:
#
#  * E-mail your findings to vulnerability-report@security.bmg.com
#
#  * Please provide sufficient information to reproduce the problem, so we will be able to evaluate and resolve the
#    problem as quickly as possible. The IP-address or the URL of the affected system and a description of the
#    vulnerability are usually sufficient. Complex vulnerabilities may require a more detailed explanation.
#
# What we promise:
#  * We will respond to your report as fast as possible (normally within 10 working days but it could be considerably longer
#    during vacation periods) with our evaluation of the report.
#  * We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
#  * We will inform you of the final outcome.
#
# ----------------------------------------------------- End of Responsible Disclosure Information ------------------------------------------------------