Skip to content
@disclose

disclose.io

The infrastructure that powers vulnerability disclosure and security reporting — Internet-wide. Safe, simple, standardized safe harbor for everyone.
The disclose.io Project — making it safe to report a vulnerability

The disclose.io Project

The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone.

disclose.io Community forum The framework CC0 / open source Follow on X


Mission — Make vulnerability disclosure safe, simple, and standardized for everyone. We're the open, vendor-neutral infrastructure that powers disclosure and security reporting.

Vision — Every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping.

Vulnerabilities are inevitable; the response is what matters. disclose.io is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-neutral, practitioner-first community of researchers, legal experts, and program owners building the shared language, tools, and open record that make good-faith disclosure the default. Free for anyone, mostly public domain, forever.

How it fits together

One movement, three connected jobs — the language you adopt, the tools that publish and find it, and the open record that keeps everyone honest.

flowchart LR
    subgraph LANG["📜 THE LANGUAGE"]
        direction TB
        HIST["history.disclose.io<br/><i>where the terms came from</i>"]:::a
        DT["dioterms<br/><i>policy language +<br/>maturity model</i>"]:::a
        DNS["dnssecuritytxt<br/><i>contacts via DNS</i>"]:::a
        SEAL["dioseal<br/><i>the mark of adoption</i>"]:::a
    end
    subgraph TOOLS["🛠️ THE TOOLS"]
        direction TB
        PM["policymaker<br/><i>generate & publish</i>"]:::b
        LU["lookup.disclose.io<br/><i>any asset → a contact</i>"]:::b
        EXT["browser extension"]:::b
        INT["dio-lookup · caido-lookup<br/>· burp-lookup"]:::b
        STS["diosts<br/><i>security.txt validation</i>"]:::b
    end
    subgraph RECORD["🗄️ THE RECORD"]
        direction TB
        DIR["directory.disclose.io<br/><i>system of record</i>"]:::c
        PLAT["bug-bounty-platforms<br/><i>the platform registry</i>"]:::c
        THR["research-threats<br/><i>when it goes wrong</i>"]:::c
        STATE["state.disclose.io<br/><i>the scoreboard</i>"]:::c
    end
    LANG ~~~ TOOLS
    TOOLS ~~~ RECORD
    HIST -.->|documents| DT
    DT -->|templates power| PM
    DNS -->|record format| PM
    DT -->|adoption earns| SEAL
    PM -->|publish, then list<br/>your program| DIR
    PM -->|what you publish is<br/>what researchers find| LU
    LU -->|powers| INT
    EXT -->|deep lookup| LU
    EXT -->|polls live data| DIR
    STS -.->|validates security.txt,<br/>in the record's format| DIR
    DIR -->|powers| STATE
    PLAT -->|mapped in| STATE
    THR -->|mapped in| STATE
    DT -.->|maturity model<br/>sets the scale| STATE
    LANG <-.->|evidence flows back:<br/>the threats archive is why<br/>safe harbor exists| RECORD
    classDef a fill:#5B3AB6,stroke:#43289C,color:#fff;
    classDef b fill:#efe9fc,stroke:#5B3AB6,color:#2c2148;
    classDef c fill:#e8f6ef,stroke:#0f7a4f,color:#123f2c;
Loading

Follow the loop:

  1. The language. history.disclose.io records where the terms came from; dioterms is that language today: CC0 policy templates, safe harbor clauses, and the maturity model. dnssecuritytxt standardizes contacts in DNS, and the dioseal is the visible mark of adoption.
  2. Publish it. policymaker turns the language into a live policy, security.txt, and DNS record in minutes. Publish, fly the seal, and list your program in the directory.
  3. Find it. What organizations publish is what researchers find: lookup resolves any asset to its disclosure contact, in the browser through the extension (live from the directory) and in recon pipelines through dio-lookup, caido-lookup, and burp-lookup. diosts validates security.txt at Internet scale.
  4. Keep score. The directory is the system of record; bug-bounty-platforms and research-threats keep the platform registry and the cautionary record; state.disclose.io, powered by the directory, grades the whole ecosystem against the maturity model.
  5. Close the loop. Every entry in the threats archive is a reason the safe-harbor language exists, and the scoreboard shows the movement what to sharpen next. disclose.io explains the framework; community.disclose.io is where it gets decided.

The ecosystem

📜 Standards — the language & the marks

Project What it is
dioterms The canonical, CC0, lawyer-reviewed policy language — VDP, bug bounty, safe harbor, regional variants — plus the diostatus L0–L5 maturity model.
dioseal The recognizable seal that tells researchers a program welcomes them, and tells customers it takes security seriously.
dnssecuritytxt A standard for publishing your security contact via DNS TXT records — discoverable before a researcher even loads your site.
history.disclose.io (repo) The sourced provenance of the terms: where the language came from, traced and cited back to its earliest ancestors.

🛠️ Tools — publish, find, verify

Project What it is
policymakerpolicymaker.disclose.io Generate a complete VDP, safe-harbor clause, security.txt and DNS Security TXT in minutes — no lawyer required.
lookup.disclose.io Turn any asset (domain, IP, package, repo…) into a security-disclosure contact. CLI & IDE plugins: dio-lookup · caido-lookup · burp-lookup.
diosts A Go scraper that validates security.txt files at Internet scale.
chrome-extension-v2 See any website's disclosure posture — safe harbor, VDP, maturity — at a glance from your toolbar.

🗄️ Data & the record — the open evidence base

Project What it is
directory.disclose.io The open system of record for disclosure programs and their safe-harbor status.
bug-bounty-platformsdisclose.io/platforms Every known bug-bounty & VDP platform, in one community-powered list.
research-threatsdisclose.io/threats The open archive of legal threats against good-faith researchers — a record, so it stops happening.

🌐 The movement

disclose.io (website) The front door and the framework.
community.disclose.io The forum — where the work gets debated and decided.

🙌 Contribute — there's a way in for everyone

This is a community project, and it only works because people show up. You don't need to be a lawyer or a hacker to help:

Every repository is open source and mostly CC0 — public domain. Fork it, adopt it, adapt it, ship it. Each repo's CONTRIBUTING and issue templates show the specifics, and new contributors are always welcome — look for good first issue.

Get involved

disclose.io · the framework · community forum · @disclose_io

The infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. · Vendor-neutral · Community-run · Est. 2018

Pinned Loading

  1. diodb diodb Public archive

    Open-source vulnerability disclosure and bug bounty program database

    Python 1.1k 327

  2. research-threats research-threats Public

    Collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong. A continuation of work started by @attritionorg

    CSS 326 26

  3. bug-bounty-platforms bug-bounty-platforms Public

    A community-powered collection of all known bug bounty platforms, vulnerability disclosure platforms, and crowdsourced security platforms currently active on the Internet.

    HTML 1.1k 209

  4. policymaker policymaker Public

    A free, open-source, multi-lingual, template-based VDP policy, safe harbor clause, securitytxt, and DNS Security TXT generator.

    Vue 16 9

  5. dioterms dioterms Public

    Open-source vulnerability disclosure policy templates.

    70 8

  6. resources resources Public archive

    Tools, data, and contact lists relevant to The disclose.io Project.

    325 45

Repositories

Showing 10 of 20 repositories

Top languages

Loading…

Most used topics

Loading…