A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# security.txt for Campfire Security
# This file provides security researchers and users with the appropriate
# contact information for reporting security vulnerabilities.

# Prohibited Activities:
# - No testing that may impact service availability (e.g., DoS/DDoS attacks).
# - No automated scanning without prior permission.
# - No social-engineering attacks (e.g., phishing, impersonation).
# - No exploitation of vulnerabilities beyond what is necessary for PoC.
# - No testing against production users or accessing unauthorized data.
# - No physical security testing (e.g., office break-ins, hardware access).
# - No testing that violates any applicable laws.

# Reporting Guidelines:
# - Provide a detailed description of the vulnerability, including steps
#   to reproduce.
# - If possible, include proof-of-concept (PoC) code or screenshots.
# - Do not publicly disclose vulnerabilities before we have addressed them.
# - We appreciate responsible disclosure. Recognition depends on severity,
#   impact, and responsible reporting practices.

Contact: mailto:security@campfiresecurity.dk
Preferred-Languages: en, da
Policy: https://campfiresecurity.dk/privacy-policy
Canonical: https://campfiresecurity.dk/.well-known/security.txt
Canonical: https://campfiresecurity.dk/security.txt
Expires: 2026-06-28T23:59:00Z
# Last-Updated: 2025-06-28