Advocacy and Activism

advocacy /ˈadvəkəsi/ (noun): public support for or recommendation of a particular cause or policy.

activism /ˈaktɪvɪz(ə)m/ (noun): the policy or action of using vigorous campaigning to bring about political or social change.

Open Letters and Statements

Following is a collection of letters and statements that disclose.io and/or its members have either co-authored or joined as a signatory, in reverse chronological order:

Comments on NIST Cyber AI Profile (February 2026) — Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST’s Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems.
Comments on EU CRA Delegated Act on Delaying Incident Notifications (December 2025) — Joint Cybersecurity Coalition and HPC comments urging the European Commission to make the 72-hour timeframe for mitigation measures more flexible.
Letter in Support for Reauthorization of the Cybersecurity Information Sharing Act of 2015 (July 2025) — HPC letter to Congress urging reauthorization of CISA 2015 before its expiration.
Comments on the Development of an AI Action Plan (March 2025) — HPC comments to the White House on AI security testing and vulnerability disclosure as part of the national AI Action Plan.
Resource on Vulnerability Management under the EU Cyber Resilience Act (October 2024) — HPC guidance on vulnerability management obligations under the EU CRA framework.
Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA) (July 2024) — HPC comments on how incident reporting requirements interact with security research and vulnerability disclosure.
Reply Comments for DMCA Section 1201 Exemption for Generative AI Research (March 2024) — HPC reply comments in the Ninth Triennial Proceeding. The Copyright Office subsequently clarified that prompt injection, jailbreaking, and rate limit bypass do not violate DMCA Section 1201.
Joint Letter of Experts on CRA and Vulnerability Disclosure (October 2023) — Open letter signed by 50+ cybersecurity experts opposing the EU CRA’s Article 11 requirement for 24-hour disclosure of actively exploited unpatched vulnerabilities.
AI Red Teaming: Recommendations for Legal Clarity and Liability Protections (December 2023) — HPC recommendations establishing that AI red teaming needs legal safe harbors similar to those for traditional security research.
Position Statement on State Charging Policies for Security Researchers (August 2023) — HPC statement addressing the risk that state prosecutors can pursue CFAA-style cases that federal prosecutors would decline, calling for reform of state-level charging policies.
Joint Letter to OFAC re Vulnerability Guidance (May 2023) — HPC letter requesting OFAC clarify that receiving vulnerability disclosures from individuals in sanctioned countries is not restricted under sanctions.
Security Researcher Statement on the DMCA (June 2021) — EFF statement on DMCA exemptions for good-faith security research, co-signed by disclose.io and others.
Calling for Cybersecurity in Critical Infrastructure Modernization (May 2021) — Coalition letter urging Congress and the Biden Administration to integrate cybersecurity requirements into infrastructure modernization legislation.
An Open Letter on Election Security (November 2020) — Open letter alongside the EFF, Bugcrowd, the Centre for Democracy and Technology, Verified Voting, and others.
Open Letter to Columbus City Attorney Zach Klein — Regarding the prosecution of a security researcher who reported vulnerabilities in city election systems.
Response to Voatz — Addressing Voatz’s claims about security researchers who identified vulnerabilities in their mobile voting application.

Hacking Policy Council

In April 2023, disclose.io members helped launch the Hacking Policy Council (HPC) at the Center for Cybersecurity Policy and Law. The HPC brings together Bugcrowd, Google, HackerOne, Intel, Intigriti, LutaSecurity, Microsoft, and Trend Micro to advance policy protections for good-faith security research.

Since its founding, the HPC has published 35+ formal comments, position statements, and policy resources spanning NIST, CISA, the U.S. Copyright Office, UK DSIT, the EU Cyber Resilience Act, the Pall Mall Process, and more. The complete archive is available on the Hacking Policy Council page.