A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# In the event that you have discovered a technical vulnerability in the 
# IT infrastructure of ETH Zurich (Swiss Federal Institute of Technology), 
# we encourage you to report it to us using the appropriate method
# described in our Vulnerability Disclosure Policy. 
# ETH Zurich does NOT offer any Bug Bounties
#
Contact: mailto:security@ethz.ch
Expires: 2028-01-31T07:00:00.000Z
Preferred-Languages: en, de
Canonical: https://www.ethz.ch/.well-known/security.txt
Policy: https://www.ethz.ch/content/dam/ethz/associates/services/Service/IT-Services/files/documents/eth-disclosure-policy-en.pdf
Encryption: https://www.ethz.ch/staffnet/de/it-services/katalog/sicherheit/pgpkey.html
RFC2350: https://www.ethz.ch/content/dam/ethz/associates/services/Service/IT-Services/files/catalogue/security/rfc2350.txt
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEELMKaGUsl3dC3ULSLbu77/9ZDcAQFAmXL8ioACgkQbu77/9ZD
cASobRAAiJ/UaAVJmg3CkG4+S3seHHiOsmjX902oiEL9AKfXIgksZJLMNVhKC9qc
VZur2rG+lFBoRnkJ2Nxxetp02B3NMxJ5S/UsZP8lBvVt12fz6ew3/cxgBNjehiKa
biOcl+vD6HAuMYNU+/hRX14BUF44nQunr+qRico3dIQCP4XDRiiQXioTbHWfPv47
AQtIHUYzsFB5P6selvb9j37u9PlGE1XZTPVEvRJ7fZKS5lvfJjTemV4daACC9aZt
Atcf5I6iTspB+B5vkrviHfigvQWt5QLNH+8ZlZhXP2QFtiKuYH2ROJnvJejsuOvc
x8PEgLYxwP0v99VKKLhqIIi+zse4YFmaJqpqMeOuQM2MCNxQpYypy+Nk3TOWsj6e
6SlqAOW3YSqC5Mpt8zM3Aq/o+2CbiLLllSp4ihSKc1ArCP06POKPwJHpV3HvVg1h
IvCKkDKMfDVBRNRUYvbaMsMC2U7uRzo/NumAC/Sz5XqEyrWskvN0Semrjop8Fea3
+rf57Roo61OnIgjpwV7TYOxo7ZiRxICHXF7uz7NfrLmu9/MIF6XcMW22eaMUew+4
hWgKmTxC4vDtqKHwoIEPQQEfv+Kb0kr0ChtGaDVV/6glQB8GBBZ/0uHQQAIPGtUR
jOHyPdQer2bQpx+kTa0kQ26UXaUlibx1STSjLAwX2C75l9Lx5BI=
=44tb
-----END PGP SIGNATURE-----