https://disclose.io/docs/Recent content in Documentation on disclose.ioHugoen-ushttps://disclose.io/docs/what-is-disclose.io/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/what-is-disclose.io/Disclose.io is a cross-industry, vendor-agnostic standardization project for safe harbor best practices to enable good-faith security research. We provide free, open-source tools and data to help establish and improve vulnerability disclosure programs and an easily recognizable seal for those taking part in “Neighbourhood Watch for the Internet.” Powered by experts With the help of expert maintainers and by harnessing the power of open-source, disclose.io provides: Free boilerplate policies, tools, contact lists, and data-sets; A straight-forward maturity model with recognition of all levels of best practice adoption, and Centralized assistance, information, activism, advocacy for security researchers and those wanting to report security issues.https://disclose.io/docs/vision-and-mission/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/vision-and-mission/Vision A healthy and ubiquitous Internet Immune System enabled by security research, reporting, and disclosure. Mission To standardize and promote Neighborhood Watch for the Internet.https://disclose.io/docs/design-strategy/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/design-strategy/Vulnerability reporting is tricky by nature - Every security issue is a snowflake, and the laws, languages, and people involved are unique every single time. To compensate for this and help to make secure easy, and insecure (or bad practice) obvious, disclose.io focusses on these design principles: Legal completeness Simplicity Accessibility Universally recognizable Be useful & safe for security researchers while keeping legal teams happy. Help set clear expectations for security researchers & program owners alike.https://disclose.io/docs/key-objectives/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/key-objectives/Key objectives Create a vibrant community that blends security researchers, policymakers, lawyers, and technology vendors to foster collaboration, and creates high-quality tools and data that support a virtuous cycle. Help organizations promote adoption and excellence to their customers, industry peers, and the security community. Maintain a vulnerability disclosure policy maturity model and create a “race to the top” for VDP adoption and the implementation of best practice. Be the system of record for the Disclose.https://disclose.io/docs/for-finders-and-hackers/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/for-finders-and-hackers/As a finder… …who has discovered a security issue, I need help to understand where I should report my findings in a way that balances my own legal safety with my confidence in the issue actually being addressed. …who is a part of the security community, I want to help my peers solve these problems in the same way I want them to be solved for myself. As a security researcher… …who wants to conduct research, I need to know where I can apply my proactive security research skills without fear of legal recourse.https://disclose.io/docs/for-organizations-and-legal-teams/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/for-organizations-and-legal-teams/As an organization… …who is considering starting a VDP, I want confidence in the fact that this is best practice, and not an overly aggressive risk. …who is running a VDP, I want to be able to clearly show my security maturity to my customers, competitors, and any others interested to know. …who is pursuing security maturity, I need a reference to point to in order to explain and validate what progressive security maturity means to an organization like mine.https://disclose.io/docs/open-source-contributors/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/open-source-contributors/disclose.io is open-source, not-for-profit, and volunteer-run. Diversity is what powers our mission, both today and into the future. Internet superheroes Some of the legends working on disclose.io who eat, sleep, and breathe making the Internet safer. Founding Members Casey Ellis @caseyjohnellis Amit Elazari @amitelazari Chloé Messdaghi @chloemessdaghi Maintainers Jack Cable @cablej Harley Geiger @harleygeiger FJ Fred Jennings esquiring Beau Woods @beauwoods Jeremy Manoto @jmanoto Andrew MacPherson @andrewmohawk sick.codes @sickcodes Contributors Daniel Trauner @dantraunerhttps://disclose.io/docs/project-directory/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/project-directory/disclose.io maintains an ecosystem of open-source projects that work together to make vulnerability disclosure safer and more accessible. Standards provide the legal and policy foundation, tools make adoption easy, data tracks progress across the internet, and community resources connect the people doing the work. Everything below is free, open-source, and community-maintained. Standards and Templates The policy and legal building blocks that underpin everything else. dioterms — VDP Policy Templates The core set of boilerplate vulnerability disclosure policy templates.https://disclose.io/docs/join-a-project/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/join-a-project/If you’d like to work on any of the disclose.io projects and join our community, we’d love your help! Contact us to get started.https://disclose.io/docs/the-disclose.io-community/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/the-disclose.io-community/Disclose.io Community Our Discourse at https://community.disclose.io is for sharing research, coordinating policy activism and responses, collaborating with other hackers, and helping finders connect with security teams. Sign up and introduce yourself!https://disclose.io/docs/advocacy-and-activism/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/advocacy-and-activism/advocacy /ˈadvəkəsi/ (noun): public support for or recommendation of a particular cause or policy. activism /ˈaktɪvɪz(ə)m/ (noun): the policy or action of using vigorous campaigning to bring about political or social change. Open Letters and Statements Following is a collection of letters and statements that disclose.io and/or its members have either co-authored or joined as a signatory, in reverse chronological order: Comments on NIST Cyber AI Profile (February 2026) — Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST’s Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems.https://disclose.io/docs/press-mentions/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/press-mentions/Date Type Publication Author Title 1/2026 Reference IoT Security Foundation Copper Horse / IoTSF The State of VDP Usage in Global Consumer IoT in 2025 3/6/2025 Partner Reference Intigriti Intigriti Safe harbor legal framework for ethical hackers officially launches in Belgium 12/11/2023 Press Dark Reading Staff Safe Harbor Programs: Ensuring the Bounty Isn’t on White Hat Hackers’ Heads 12/13/2023 Op-Ed Dark Reading Casey Ellis The Unlikely Romance of Hackers and Government Suitors 4/2023 Press TechTarget Staff Hacking Policy Council launches, aims to improve bug disclosure 4/2023 Reference Center for Cybersecurity Policy Staff Center for Cybersecurity Policy and Law Launches Initiatives To Support Detection and Remediation of Security Vulnerabilities 4/5/2023 Academic Duke FinReg Blog Staff Security Researchers Battle Against The DMCA 2023 Podcast Delinea Joseph Carson 401 Access Denied Ep 94: Crowdsourced Security & Vulnerability Disclosure with Casey Ellis 2022 Press The Daily Swig Staff HackerOne encourages customers to adopt standard policy to protect hackers from legal problems Summer 2022 Reference NASS / Ingalls Ingalls Information Security disclose.https://disclose.io/docs/conference-talks-and-videos/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/conference-talks-and-videos/Featured Talks More Videos Hacking Policy and Policy Hacking — Amit Elazari, BSidesSF 2023 The State of Vulnerability Disclosure The State of Bug Bounties & AMA — Casey Ellis, Bugcrowd LevelUp 0x01, 2017 Leonard Bailey + Casey Ellis + Marten Mickos — Cybertalks 2017 Bug Bounty Legal Discussion How bug bounties can impact critical infrastructure — Casey Ellis, Passcode Security of Things Forum, 2016 Vulnerability Disclosure Best Practices How building a better hacker accidentally built a better defender — Casey Ellis, OWASP AppSec California, 2015 The Art & Value of Bug Bounties — Casey Ellis & Keren Elezari, 2015 Safe Harbor for Security Research Policy Panel Discussion Presenting Bugcrowd (Most Innovative Company) — Casey Ellis, LAUNCH Silicon Valley, 2013https://disclose.io/docs/legal-disclaimer/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/docs/legal-disclaimer/ Disclaimer While we’ve engaged the legal opinion of many, this does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization.