Vulnerability Disclosure Policy.
Safe-harbour, SLAs, security.txt.

A VDP both sides will trust.

• →12-section policy in editable Markdown plus a PDF reference render
• →Safe-harbour clause language used by mature programmes — counsel-friendly, researcher-trusted
• →Pre-built /.well-known/security.txt sample aligned to RFC 9116
• →Severity rubric, response SLA table, and remediation targets
• →Notes on adapting the policy from VDP to paid bug-bounty without rewriting governance

All twelve sections at a glance.

1. 01

   Intent statement

   Plain-English commitment that the organisation welcomes security research, will respond to reports in good faith, and will not pursue legal action against researchers acting under this policy.

2. 02

   Scope — in

   Domains, sub-domains, mobile apps, APIs, and infrastructure within scope. Pre-built as a table so legal and security can edit the rows without rewriting the policy.

3. 03

   Scope — out

   Third-party services, partner-operated systems, deprecated assets, marketing micro-sites — and the specific test classes excluded (DoS, social engineering, physical, automated scanners at high rate).

4. 04

   Safe-harbour clause

   Researcher protections modelled on CISA / Department of Justice guidance — no CFAA / DPDP / IT Act prosecution for good-faith research within scope. Limits clearly stated.

5. 05

   Reporting channel

   Primary intake (security@ alias or platform), backup channel, PGP key reference, expected information per report (asset, reproduction steps, impact, evidence), language preferences.

6. 06

   Response SLAs

   Acknowledgement within 3 business days, triage within 10 business days, remediation targets by severity (critical 30 days, high 60, medium 90), public-disclosure coordination window of 90 days.

7. 07

   Severity rubric

   How reports are scored (CVSS v4 baseline plus business-context modifier), how disagreements are resolved, examples of how each severity tier maps to remediation priority.

8. 08

   Coordinated disclosure

   Default 90-day disclosure window, conditions for extension, conditions for early disclosure (active exploitation), credit conventions, opt-out for anonymous reporters.

9. 09

   Recognition & rewards

   Whether the programme is paid (bug-bounty) or recognition-only (VDP), the eligibility rules, the appeal route, the hall-of-fame conventions, anti-fraud controls.

10. 10

    Out-of-scope conduct

    What the researcher must not do — exfiltrate real data beyond a proof, modify or destroy data, social-engineer staff, brute-force credentials, post findings publicly before disclosure window closes.

11. 11

    /.well-known/security.txt

    RFC 9116 reference contents — Contact, Expires, Encryption, Policy URL, Hiring, Preferred-Languages — with worked example and signing guidance.

12. 12

    Governance & review

    Owning team, escalation route to legal and exec sponsor, annual review cadence, change-history log, and the version-pinned canonical URL for the policy.

Pair this VDP with.