A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Canonical: https://www.ncsc.gov.uk/.well-known/security.txt
Contact: mailto:security@ncsc.gov.uk
Preferred-Languages: en
Encryption: https://www.ncsc.gov.uk/static-assets/documents/ncsc_public_2026-09-11_3446EC55.asc
Policy: https://www.ncsc.gov.uk/vulnerability-reporting
Expires: 2025-11-18T00:00:00.000Z
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEE4YeGeRwr72qsnEf+YYwd/DRG7FUFAmc7S8oACgkQYYwd/DRG
7FVMKwwAmTnceDTnAypOKli7LKT79+uycofoeU122OoeB/3zOHGB8ReyPYjukT+q
EZ56lXGuiCYlCtwxkozgkeFjRTwZTvSg/1VgutsSSfzDvjt/3w+PFhqW3qLmUPSe
jsoZWCpz5OLFPMwYt1Bk5bn67vhh16Xf7miDwhM4yGIA1Z+LQ2eIA4Z1d2yap0Lg
z6InLSG5qrtr0u6ZDqQVFIQvpPOE+pVovRHc2zQfdJFSTcQQDx/vHPgLnjFQq5yw
y61Nc3g/JnnAE/6ePE6VJjOxOQezQnxwspi4cHT8s/GNv94i8D8idpXStUTdDwTr
ArAqf8e2hed0gz5uaPDZ8HV/c286w8eV7dGWg+IzKKc+mP6k5onYMwR6kfOYH7N2
/utrcxSFFJVKHX8Pox57dAZ6ECzDgNw+8/uRY1FX2t1u3yJC7Z1XLHe8Vm8cu3FE
oh9VmF7FYqfzLAuZuj527VTNqXZ16slJYhmXUnANBFvNCPQYhack4E0m8+t84Znt
kR3wT4IR
=dreq
-----END PGP SIGNATURE-----