Framework — Maturity (diostatus)

The disclose.io Maturity Model — a six-level self-assessment for vulnerability disclosure program readiness.

diostatus is a six-level self-assessment describing how prepared an organisation is to receive and handle external vulnerability reports.

diostatus Maturity Model — the progression from Level 0 to Level 5

The progression in one line

Findable → Communicating → Not hostile → Explicitly safe → Accountable.

Each level builds on the previous, creating a clear progression path for organisations to improve their vulnerability disclosure practices.

Summary

LevelNameKey SignalResearcher Protection
0Not PresentNo contact, no policyNone
1Contact Onlysecurity.txt / intake method existsNone (but reachable)
2Basic VDPPublic policy + channelNone (but documented)
3Partial Safe HarborWon’t pursue legal actionPartial — report safely
4Full Safe HarborExplicitly authorises testing + law exemptionsFull — test safely
5Full Safe Harbor + CVDLevel 4 + proactive disclosure timelineFull + accountability

See the individual level pages for plain-English definitions of each stage and how to progress between them.

Level 0 — Not Present

No findable contact, no policy, no intake method.

Read policy →

Level 1 — Contact Only

security.txt published; a researcher can reach someone. No policy yet.

Read policy →

Level 2 — Basic VDP

Public policy document and a real submission channel. No legal protection.

Read policy →

Level 3 — Partial Safe Harbor

A commitment not to pursue legal action. Report safely; test uncertainly.

Read policy →

Level 4 — Full Safe Harbor

Explicit testing authorisation and carve-outs from CFAA / DMCA / TOS.

Read policy →

Level 5 — Full Safe Harbor + CVD

Level 4 plus a public coordinated-disclosure timeline. Accountable.

Read policy →