A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256



# Our security address

Contact: mailto:security@ccli.com



# Canonical URI

Canonical: https://ccli.com/.well-known/security.txt



# Our OpenPGP key

Encryption: https://ccli.com/.well-known/security_public_key.txt



Expires:  2026-03-19T16:05:00Z



#

# If you've found a security bug in something CCLI, we'd love to hear about it at the above email address.

# You can encrypt your email using PGP with the key detailed above, if you want to.

#

# Due to the rise in "beg bounty" emails ( no, that's not a typo - see https://www.troyhunt.com/beg-bounties/ )

# we do not respond to emails sent to undisclosed recipients and "BCC" to us. 

#

-----BEGIN PGP SIGNATURE-----



iQFGBAEBCAAwFiEET3K+mlBpat4jGBl4y6gCI+vFO5IFAmfcPL4SHHNlY3VyaXR5

QGNjbGkuY29tAAoJEMuoAiPrxTuSs1MH/14AfiipRtWLZEj+vV69+ES6H3mvfTHC

D849vNB/a893daLTKwNWiOb+89Bd8BxpeXF3LuOctFSVZyimZKx9JmzgEoFyWcE6

oaG+vNfyLgsWfvrDfLeBuIpXmwLRNsHxVV7QnRa7TBDOA6hfuA65D+UX1uSPXiLH

2OUxfsvD90aye/E3yQvOaSI+PcK4CtVnjei30DiwX6AMitty1i2Nm80q9jx5ntac

q66+ao/NArURF0xCsKn97B463Yf7Je8Cro8fS2ns7oTUA8uy7HmShVY4bSpSLDtr

5u2/NMcA7jgGXJA3PxZ2e9zjkUsCUWGaw8i98VSISrTJYT8UCY3gMaI=

=adVE

-----END PGP SIGNATURE-----