A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Found a security issue in the open-source Silverstripe CMS? We'd love you to responsibly disclose it to us using the contact details below.
# If you've found an issue with our infrastructure rather than with the Silverstripe CMS, please see https://www.silverstripe.com/.well-known/security.txt instead.
# If you're not sure what the issue might affect, please *do not use the below details* - please instead use https://www.silverstripe.com/.well-known/security.txt to report this issue, and we'll make sure it gets to the right people.
# Thank you!

Contact: security@silverstripe.org
Contact: https://docs.silverstripe.org/en/contributing/release_process/#security-releases

Acknowledgements: https://www.silverstripe.org/download/security-releases/
Encryption: https://www.silverstripe.org/.well-known/silverstripe-oss-security-key.txt
Policy: https://docs.silverstripe.org/en/contributing/release_process/#security-releases