disclose.io

Frequently asked questions

Got a quick question? Let's get you a quick answer

• Who is disclose.io for?
  • Hackers and Finders: You want to help, and you’re not sure that you’re welcome - We want to help you make safe decisions and connect you to the right people to take action on your input
  • Legal teams: Vulnerability reporting and research is tricky, and inviting the help of hackers is still legally novel territory - We want to make it simple for you to make consensus-backed recommendations
  • Organizations: Vulnerabilities are inherent to innovation, but it still takes guts to say so - We want to help you say so loudly and proudly
  • Security Researchers: You’ve been waiting for the red carpet - We’ll help you find it
• How do I interact with or contribute to the disclose.io projects?

  Glad you asked!

  • Start a vulnerability disclosure program (VDP), or upgrade your VDP or bug bounty program to include best practices like Safe Harbor and proactive disclosure timelines
  • Join the community, contribute or assist with vulnerability research, and help finders connect with security teams to alert them of identified risks
  • Help us keep “The Big List” of known VDPs and bug bounty programs up-to-date by submitting a PR to the dioterms repo
  • Contribute to the dioterms open-source vulnerability disclosure policy by raising an issue on the repo… or add a language or regional legal translations by submitting a PR
  • Volunteer as a core contributor/maintainer on one of our existing projects
  • Recommend a new project to support our mission the make vulnerability disclosure safe, simple, and standardized.
• I have an idea for a project, how to I get started?

  Awesome! Get in touch via our contact form, we’ll add you to the disclose.io working group Slack, spin up a repo, and go from there!

• Is disclose.io a 501.c3 (Not For Profit)?

  disclose.io was formed as a merge of seperate standardization projects initiated by RainForest Puppy, Bugcrowd, Cipherlaw, Dropbox, Dr. Amit Elazari, UC Berkeley, the National Transport and Information Authority, the US Department of Justice, and others.

  

  We’re currently in the process of incorporating and pursuing status as a 501.c3 Not For Profit.

• What is Safe Harbor?

  Most of the existing anti-hacking laws pre-date the notion of hacking for good or widespread knowledge of the “digital locksmiths” who are increasingly influencing modern-day digital safety.

  These anti-hacking laws have been used by organizations to suppress good-faith security research in the pursuit of limiting negative publicity for the vendor, which nets out to a “chilling effect” on the input from the people the Internet needs to hear from most. If hackers are the Internet’s Immune System, then right now, even in 2023, the Internet still has an auto-immune problem.

  “Safe Harbor” is the term used to describe clauses added to public policies which allow folks acting in good faith, as defined clearly and proactively by the recipient, to provide security feedback without fear of legal repercussions.

  disclose.io intends to help define, spread, and reward the adoption of vulnerability disclosure programs with best practices like Safe Harbor.

• Is this legal advice?

  While we’ve engaged the legal opinion of many, this does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization.