For organizations and legal teams

As an organization…

…who is considering starting a VDP, I want confidence in the fact that this is best practice, and not an overly aggressive risk.
…who is running a VDP, I want to be able to clearly show my security maturity to my customers, competitors, and any others interested to know.
…who is pursuing security maturity, I need a reference to point to in order to explain and validate what progressive security maturity means to an organization like mine.

…who has never considered the idea of inviting hacker input before, we need to understand where successful precedent exists around how to structure terms and conditions.
…who is seeking to improve the simplicity and utility of VDP language, we want to be able to refer to the consensus of experts to support our point of view.
…who is time poor, we want access to free policy boilerplates that have the power of market and legal consensus behind them.

How can help

Note: While this project engages the legal opinion of many, it does not constitute legal advice. Please consult your legal counsel for the specific suitability of the terms in your organization.

  1. Whether you’re starting from scratch or updating an existing policy, choose the legal terms that best fit your vulnerability disclosure program (VDP) or bug bounty program (BBP).
  2. Publish your new policy, or add the safe harbor terms to your existing VDP or BBP policy.
  3. Submit a pull request to add your program to the open-source program database. The diodb maintainers will confirm details, validate your status, and merge your request.
  4. Select the appropriate Seal based on your Status.
  5. Add the seal to your security page, vulnerability policy or reporting page, checkout page, and whatever else you like and let the world know you’re joining the mission!

For finders and hackers
Open-source contributors

Related Docs