A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Contact: mailto:security@osso.nl
Encryption: https://download.osso.pub/security@osso.nl.pgp.txt

# We are OSSO B.V.
# We are open source minded and security aware.
#
# If someone reports a vulnerability we take it seriously and appreciate it.
#
# Since we are a small and technical team you can just report it to either
# info@osso.nl or security@osso.nl. If it contains sensitive information,
# please use the provided public OpenPGP key (see the 'Encryption:' field).
#
# We'll discuss within our team what kind of reward we consider appropriate.
# Unfortunately we do not have a formal policy we can share as a guidance,
# but we can say that the previous reporters have appreciated it.
# We think WE REWARD FAIRLY for our company size and resources.
#
# !OBSERVE!
#
# We generally do not provide bounties for issues that do not have
# a clear and demonstrable security impact.
#
# For example. we DO NOT offer bounties for:
# - Missing HTTP headers (e.g., CSP, HSTS).
# - Use of outdated but non-vulnerable libraries.
# - Non-compliance with new or emerging best practices.
# - Theoretical or speculative risks without a working exploit.
#
# Also, we are not responsible for all systems on our network.
# If you find a security issue in a customer project, we'll mediate and
# recommend a reward as we seem fit, but handing out rewards is up to them.
#
# Please DO NOT email us to ask which systems are or aren't in scope. Simply
# report your finding, and have faith that we will treat it with the respect
# it deserves.
#
# Looking forward to your responsible disclosure :-)

Expires: 2029-04-08T00:00:00Z
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+hebUnPtEy89Sd9R9yPs91yGdT0FAmgUi/kACgkQ9yPs91yG
dT1WNhAAohE0MoC7SATtGMlLmNAIjhEcu/aiz/tTLl/xfGpbl88Y2sWFbTzOV0KF
0E/UZdSPj/8TwuwAMtZPZl/shsM8HSkQ/l1bQbWA2DsA42+veQJ+Vh8t7pW0Q1X6
7zApix9b4Jr8+Lf6t+2XikiubiwS0S+qEjw20SHQ2LZ4URt68wH4s4f9rZ2G975w
6Nd3UmMsMdM2g2Wqld18tKnV/s5x4SJVa/9M8wZTGT0V74Qe6EyK1sirU5Cd9pYM
wPHsUiyDtx5lcWeBWzQnhY918APw6c8IFjuLHuqvf6c7J9BCe48fROZVRB5r+oNx
55dtZ+rr6bE6yuaJKmmm+A4BuqM/pqHJQC5Ampw95lnbUsdHO9F3FluYNoLwpazM
J/dTnMd4NjWE/fVQuQT7X+ApWyKyrH8qc9cmSq4xdKV/Y1NWDMlDwsGBpGpR5VUP
70oQ6vaeULnVDJtqlHAbsJbnqw+ohK4khk6jmmPFlzZSOzp9LBNuixhbEa9H9cIc
ObqJ3ivAbWtlcxcK+f1VcDOO50L5s2ksxbtksCFKqaqjmoBXsGQVQURMvQYfKADR
tPusk4qPO4aYvEBQ1tmGK28rtfESqty9zl6J+niTjIAKlPe9vXhZB9hSlhmEB/K8
W3B077qrqBRuvz7MwR2GnNEOpC+kRlySM7ZGsUh/fOIhc5Oqvdc=
=31Bc
-----END PGP SIGNATURE-----