Mission — Make vulnerability disclosure safe, simple, and standardized for everyone. We're the open, vendor-neutral infrastructure that powers disclosure and security reporting.
Vision — Every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping.
Vulnerabilities are inevitable; the response is what matters. disclose.io is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-neutral, practitioner-first community of researchers, legal experts, and program owners building the shared language, tools, and open record that make good-faith disclosure the default. Free for anyone, mostly public domain, forever.
One movement, three connected jobs — the language you adopt, the tools that publish and find it, and the open record that keeps everyone honest.
flowchart LR
subgraph LANG["📜 THE LANGUAGE"]
direction TB
HIST["history.disclose.io<br/><i>where the terms came from</i>"]:::a
DT["dioterms<br/><i>policy language +<br/>maturity model</i>"]:::a
DNS["dnssecuritytxt<br/><i>contacts via DNS</i>"]:::a
SEAL["dioseal<br/><i>the mark of adoption</i>"]:::a
end
subgraph TOOLS["🛠️ THE TOOLS"]
direction TB
PM["policymaker<br/><i>generate & publish</i>"]:::b
LU["lookup.disclose.io<br/><i>any asset → a contact</i>"]:::b
EXT["browser extension"]:::b
INT["dio-lookup · caido-lookup<br/>· burp-lookup"]:::b
STS["diosts<br/><i>security.txt validation</i>"]:::b
end
subgraph RECORD["🗄️ THE RECORD"]
direction TB
DIR["directory.disclose.io<br/><i>system of record</i>"]:::c
PLAT["bug-bounty-platforms<br/><i>the platform registry</i>"]:::c
THR["research-threats<br/><i>when it goes wrong</i>"]:::c
STATE["state.disclose.io<br/><i>the scoreboard</i>"]:::c
end
LANG ~~~ TOOLS
TOOLS ~~~ RECORD
HIST -.->|documents| DT
DT -->|templates power| PM
DNS -->|record format| PM
DT -->|adoption earns| SEAL
PM -->|publish, then list<br/>your program| DIR
PM -->|what you publish is<br/>what researchers find| LU
LU -->|powers| INT
EXT -->|deep lookup| LU
EXT -->|polls live data| DIR
STS -.->|validates security.txt,<br/>in the record's format| DIR
DIR -->|powers| STATE
PLAT -->|mapped in| STATE
THR -->|mapped in| STATE
DT -.->|maturity model<br/>sets the scale| STATE
LANG <-.->|evidence flows back:<br/>the threats archive is why<br/>safe harbor exists| RECORD
classDef a fill:#5B3AB6,stroke:#43289C,color:#fff;
classDef b fill:#efe9fc,stroke:#5B3AB6,color:#2c2148;
classDef c fill:#e8f6ef,stroke:#0f7a4f,color:#123f2c;
Follow the loop:
- The language. history.disclose.io records where the terms came from; dioterms is that language today: CC0 policy templates, safe harbor clauses, and the maturity model. dnssecuritytxt standardizes contacts in DNS, and the dioseal is the visible mark of adoption.
- Publish it. policymaker turns the language into a live policy,
security.txt, and DNS record in minutes. Publish, fly the seal, and list your program in the directory. - Find it. What organizations publish is what researchers find: lookup resolves any asset to its disclosure contact, in the browser through the extension (live from the directory) and in recon pipelines through dio-lookup, caido-lookup, and burp-lookup. diosts validates
security.txtat Internet scale. - Keep score. The directory is the system of record; bug-bounty-platforms and research-threats keep the platform registry and the cautionary record; state.disclose.io, powered by the directory, grades the whole ecosystem against the maturity model.
- Close the loop. Every entry in the threats archive is a reason the safe-harbor language exists, and the scoreboard shows the movement what to sharpen next. disclose.io explains the framework; community.disclose.io is where it gets decided.
| Project | What it is |
|---|---|
| dioterms | The canonical, CC0, lawyer-reviewed policy language — VDP, bug bounty, safe harbor, regional variants — plus the diostatus L0–L5 maturity model. |
| dioseal | The recognizable seal that tells researchers a program welcomes them, and tells customers it takes security seriously. |
| dnssecuritytxt | A standard for publishing your security contact via DNS TXT records — discoverable before a researcher even loads your site. |
| history.disclose.io (repo) | The sourced provenance of the terms: where the language came from, traced and cited back to its earliest ancestors. |
| Project | What it is |
|---|---|
| policymaker → policymaker.disclose.io | Generate a complete VDP, safe-harbor clause, security.txt and DNS Security TXT in minutes — no lawyer required. |
| lookup.disclose.io | Turn any asset (domain, IP, package, repo…) into a security-disclosure contact. CLI & IDE plugins: dio-lookup · caido-lookup · burp-lookup. |
| diosts | A Go scraper that validates security.txt files at Internet scale. |
| chrome-extension-v2 | See any website's disclosure posture — safe harbor, VDP, maturity — at a glance from your toolbar. |
| Project | What it is |
|---|---|
| directory.disclose.io | The open system of record for disclosure programs and their safe-harbor status. |
| bug-bounty-platforms → disclose.io/platforms | Every known bug-bounty & VDP platform, in one community-powered list. |
| research-threats → disclose.io/threats | The open archive of legal threats against good-faith researchers — a record, so it stops happening. |
| disclose.io (website) | The front door and the framework. |
| community.disclose.io | The forum — where the work gets debated and decided. |
This is a community project, and it only works because people show up. You don't need to be a lawyer or a hacker to help:
- 🐛 Saw a company threaten a researcher? Add it to research-threats.
- 🏴 Know a bug-bounty platform we're missing? Add it to bug-bounty-platforms.
- ⚖️ Lawyer or policy person? Sharpen the terms or contribute a regional variant for your jurisdiction.
- 🌍 Speak another language? Translate the terms — the whole world reports vulnerabilities.
- 💻 Developer? Pick up an issue on policymaker, the lookup integrations, or the extension.
- 🏢 Run a program? Adopt the terms and the seal, then list it in the directory.
- 💬 Just want to talk it through? Join community.disclose.io.
Every repository is open source and mostly CC0 — public domain. Fork it, adopt it, adapt it, ship it. Each repo's CONTRIBUTING and issue templates show the specifics, and new contributors are always welcome — look for good first issue.
disclose.io · the framework · community forum · @disclose_io