A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:security@ccli.com

Encryption: https://ccli.com/.well-known/security_public_key.txt

Signature: https://ccli.com/.well-known/security.txt.sig



# If you've found a security bug in something CCLI, we'd love to hear about it at the above email address.

# You can encrypt your email using PGP with the key detailed above, if you want to.

#

# Due to the rise in "beg bounty" emails ( no, that's not a typo - see https://www.troyhunt.com/beg-bounties/ )

# we do not respond to emails sent to undisclosed recipients and "BCC" to us.