A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Stackhero security is a priority (really!).
#
# We appreciate the efforts of security researchers in identifying vulnerabilities.
#
# Here is a non-exhaustive list of findings that are NOT included in our bug bounty program:
#   - Weak password policy
#   - Missing headers like "Permission-Policy" and "Content-Security-Policy"
#   - Password Reset token leaking to third-party sites
#   - Brute forces using rotating IPs
#   - Account duplication using "+" or "." characters
#   - Any kind of "DDoS" attack
#
# We look forward to your comprehensive and valuable submissions!
#
Contact: mailto:security@stackhero.io