A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# DSB - Please use the below point of contact for security findings only, if you as a 

# vendor/salesperson contact us directly on this e-mail will we mark your e-mail as spam.

# Please send relevant information about your security findings to:

Contact: mailto:security@dsb.dk

Contact: mailto:itsikkerhed@dsb.dk



Expires: 2025-01-01T11:00:00.000Z

Preferred-Languages: en, da



# Our security policy:

Policy: https://www.dsb.dk/disclosure-policy.html



# Our OpenPGP key

Encryption: https://www.dsb.dk/pgp-key.txt



# Our security acknowledgments page

Acknowledgments: https://www.dsb.dk/hall-of-fame.html



Hiring: https://www.dsb.dk/om-dsb/karriere-i-dsb/alle-ledige-stillinger-i-dsb/

Canonical: https://www.dsb.dk/.well-known/security.txt



# Bug Bounty / Reward Statement

# -----------------------------

# DSB does not have a bug bounty/reward program and will therefore not offer paid bug/security rewards.

# We might however offer a token of our appreciation to security researchers who take the time and effort to 

# investigate and report security vulnerabilities to us.

#

# In order to receive a response from us, please ensure that your report includes:

# - A clear and actionable recommendation for remediation.

# - An assessment of severity based on the CVSS framework.

# - A Qualitative Rating based on the CVSS that is above 3.9.

# - Findings that represent actual vulnerabilities rather than information that is part of reconnaissance

# - A sterilized Proof-of-Concept (i.e., a video, screenshot, defanged URLs) that does not include executable scripts or live links.

#

# Best regards

# DSB IT Security Team

#