A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:em@token2.ch
Expires: 2099-05-02T22:00:00.000Z
Encryption: https://www.token2.ch/assets/pgp.public.txt
Preferred-Languages: en,fr
Policy: https://www.token2.ch/tos
# If your discovery uncovers a high-severity vulnerability  
# that can be demonstrated with a tangible proof of concept (PoC)  
# showing a real impact on our operations, we would be happy  
# to express our gratitude by offering you our products  
# or exclusive discount codes.  

# However, if you've simply used automated tools to detect minor issues  
# and are contacting us with the expectation of financial compensation,  
# please be aware that this site does not have a bounty program  
# for such cases.

# Examples of things to be disregarded as security reports:  
# - Domain DNS config, DMARC/SPF records or CAA rules  
# - Missing security headers (e.g., X-Frame-Options, X-XSS-Protection)  
# - Clickjacking (framing of publicly accessible pages)  
# - Information leaks that do not expose sensitive user data  
# - Rate limiting or brute-force protections on non-sensitive endpoints  
# - Outdated libraries with no known exploitable vulnerabilities  
# - Presence of debug information in non-production environments    

# Note for automated scanning reports
# If you use automated scanning tools, please review the results and manually verify
# each finding before submitting. Include a minimal, reproducible proof of concept (PoC).
# Example: some tools may flag/server-status as an exposed Apache status page. 
# Take the time to examine such pages carefully, as they may not always reflect actual live server data.