The disclose.io Project
Safe harbor for security research.
About disclose.io
Someone finds a security flaw in a system. They want to report it. What happens next?
For most of the internet’s history, the answer has been: nothing good. No standard way to report. No assurance the reporter won’t be sued. No clarity on what “responsible” even means. Laws like the CFAA presume researchers are criminals. The result: vulnerabilities go unreported, or get sold to the highest bidder.
disclose.io changes the norm. It is a vendor-agnostic, open-source framework that standardizes how organizations receive vulnerability reports and commits them to safe harbor for good-faith researchers.
Vulnerability disclosure should be as normal as having a security team. disclose.io makes it possible.
The Framework
- The dioterms safe harbor framework, now adopted globally
- Standardized VDP policy templates in multiple languages
- The security.txt standard (RFC 9116) for machine-readable security contacts
- Community database of organizations with published disclosure policies
- Policy guidance used by governments, Fortune 500s, and critical infrastructure
- Directory of over 100 crowdsourced security platforms worldwide
The Problem
The internet runs on software written by humans. Humans make mistakes. Vulnerabilities exist in every system. The question is whether they get found by someone who wants to help or someone who wants to exploit.
Most organizations have no idea how to receive a vulnerability report. Researchers have no way to know if reporting is safe. The norms don’t exist. disclose.io creates them.
For hackers, researchers, and anyone who stumbles across a security issue: a signal that says “we welcome your report, and we won’t sue you for helping.”
For organizations and vendors: a statement that says “we understand security is hard, we welcome feedback, we have the means to process it, and we’re mature enough to prove it.”
In the meantime, everyone else benefits from better security overall.