The disclose.io Framework
The disclose.io Framework: canonical legal terms for vulnerability disclosure, plus the diostatus program-maturity model.
The disclose.io Framework is our open-source, public-domain reference for running a vulnerability disclosure program — starting-point boilerplate for organisations, shared vocabulary for security researchers reading or critiquing programs, and a way to measure maturity over time. It’s all open for review and contribution, so if you spot something off, you can open a PR at github.com/disclose/dioterms (licensed CC0 1.0).
How to use
Policy text appears with styled placeholders like [Organization Name]. You can take them and fill them in manually, or generate a personalised copy via policymaker.disclose.io.
Framework — Terms
Canonical public-domain vulnerability disclosure policy boilerplate: VDP, BBP, and safe harbor.
Framework — Practices
Operational conduct for good-faith security research — how researchers, lawmakers, and program operators distinguish legitimate research …
Framework — Maturity (diostatus)
The disclose.io Maturity Model — a six-level self-assessment for vulnerability disclosure program readiness.
Stay in the loop
Weekly cybersecurity-policy news in Policy Pulse, plus disclose.io community updates and safe-harbor developments.
Subscribe to the newsletter