Policy settings

Vulnerability finders often wish to publish their reports after the issue has been fixed, and some will provide their own timeline when reporting security issues. We strongly recommend that you take a proactive approach to setting your own timeline, and to make this clear within your VDP.


If you’re not currently able to do this, you may optionally opt-out of setting a timeline.

Enter the web address where people can find this policy on your website, . Note that this only impacts security.txt and DNS Security TXT records, and can be changed before deployment if needed.

Required