The canonical, public-domain reference for vulnerability disclosure policy language, operational practices, and program maturity — maintained by the disclose.io community.
This repository is the source of truth behind disclose.io/framework/ and policymaker.disclose.io. Everything here is CC0 1.0 — public domain. Fork it, adopt it, adapt it, ship it.
Note: while we've engaged the legal opinion of many, this does not constitute legal advice. Please consult your own counsel for the specific suitability of these terms in your organisation.
| Pillar | What it is | Directory |
|---|---|---|
| Terms | Legal policy boilerplate — VDP, BBP, safe harbor, regional variants | core-terms-*.md, core-terms/, regional/, simple-safeharbor/, archive/ |
| Practices | Operational playbooks for running a VDP/BBP | practices/ |
| Maturity | diostatus — the 6-level program maturity model | maturity/ |
| Generate a personalised policy | policymaker.disclose.io |
| Canonical reference site | disclose.io/framework/ |
| Community forum | community.disclose.io |
| Compare real-world programs | disclose.io/programs |
- Core terms — primary documents. Maximum flexibility with bilateral safety, readability, and accommodation of varying legal environments. BBP terms are a superset of VDP terms with additional rewards/scope fields. They are kept separate to avoid ambiguity.
- Core modules — modular section fragments derived from the Core terms, used as the basis for regional/vertical translation.
- Regional terms — contributed by PSIRTs, disclosure platforms, policy advocates, and vendor program operators. Adapt safe-harbor language to local legal and regulatory context.
- Simple Safe Harbor — condensed safe-harbor clause designed to add protection language to VDPs and BBPs that are already in place.
- Archive — deprecated or archived terms preserved for reference.
Operational how-to guidance for running a program day-to-day — the counterpart to the legal text in terms/. Current stubs:
- program-launch.md — preflight decisions, scoping, approvals, go-live
- triage.md — intake, severity, deduplication, validation, communication
- coordinated-disclosure.md — timelines, negotiation, public disclosure, multi-party
- safe-harbor-implementation.md — aligning Legal, TOS/AUP, platform agreements
- researcher-relations.md — communication cadence, recognition, escalation
These pages are intentionally thin starting points. Community contribution fills them in over time — open a PR.
diostatus is a 6-level self-assessment describing how prepared an organisation is to receive and handle external vulnerability reports.
Findable → Communicating → Not hostile → Explicitly safe → Accountable.
See maturity/ for the per-level definitions and progression guide.
The core requirements for Full Safe Harbor are for the policy to provide:
- Authorisation against anti-hacking laws (CFAA, CMA, equivalent)
- Exemption from anti-circumvention laws (DMCA, equivalent)
- Exemption from violation of the organisation's own TOS/AUP during security testing
- A statement acknowledging good-faith research
The intent is for this language to be followed specifically, with minor modifications if any. If you modify, preserve the four tenets above.
Policies missing any of the core tenets but containing a good-faith non-pursuit commitment meet the criteria for Partial Safe Harbor.
Incentives or "bounties" for vulnerability reports are not a prerequisite for Safe Harbor or for a program to be considered a VDP.
- Coordinated Disclosure — researcher may share details after a fix has been applied and the program owner has granted permission, or after a clearly-stated time has passed from submission, whichever is sooner.
- Discretionary Disclosure — researcher or program owner may request mutual permission to share details after explicit approval.
- Non-Disclosure — researchers are required to keep details and the existence of the program confidential. Generally inappropriate for VDPs.
- Scope (required) — explicit "in-scope" assets. Err on the side of inclusiveness.
- Out-of-Scope (optional) — systems or activities the organisation discourages testing against.
- Rewards (optional, BBPs only) — payment policy and parameters.
- Official Communication Channels (required) — complete list of intake methods.
- Disclosure Policy (required) — conditions under which researchers may disclose to third parties.
- Regional variants — fork → add
regional/XXX-core-terms.md→ PR - Core terms changes — RFC-style: open a GitHub Discussion, then a PR
- Practices — PR against
practices/*.md - Maturity — PR against
maturity/*.md - Translations — fork → add locale files → PR
CODEOWNERS routes reviews to the appropriate team.
- Add the disclose.io seal to your public program brief
- Submit a PR to add your program to diodb
- Let the world know you've joined the initiative
- Contribute back to the framework you just adopted