A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# If you like to report a vulnerability on any of our products, please use our bug bounty program at HackerOne.
# For reports regarding our website or other organization assets please use the mail address.

Contact: https://hackerone.com/open-xchange
Contact: mailto:security@open-xchange.com
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/480B49CD0922FA6A13CF9305961459F129176EAF
Preferred-Languages: en
Canonical: https://www.open-xchange.com/.well-known/security.txt
Policy: https://hackerone.com/open-xchange
Hiring: https://www.open-xchange.com/about-ox/career/working-for-ox/