https://disclose.io/framework/maturity/Recent content in Framework — Maturity (diostatus) on disclose.ioHugoen-ushttps://disclose.io/framework/maturity/level-0/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-0/The organisation has no findable security contact, no security.txt, no disclosed policy, and no public intake method. A researcher discovering a vulnerability has no safe or sanctioned way to report it. From the ecosystem’s perspective, this organisation is effectively invisible — or worse, implicitly hostile to disclosure. What observers see No /.well-known/security.txt No security@ or equivalent mailbox documented publicly No policy page, no disclosure program, no bug bounty listing No response (or a hostile response) to any informal outreach Researcher protection None.https://disclose.io/framework/maturity/level-1/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-1/The organisation is findable and has a working intake method for security reports. This is typically evidenced by a security.txt file and/or a dedicated security contact (email, form, or URL). The bar is deliberately low — it just means a researcher can reach someone. There is no policy document, no legal commitment, and no defined process. But you exist, and you can be found. What observers see security.txt published at /.https://disclose.io/framework/maturity/level-2/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-2/There is an actual, publicly accessible document describing how the organisation wants vulnerabilities reported, plus a real communication channel to do it through. The intent is in writing. This is the minimum threshold to be considered a functioning Vulnerability Disclosure Program — but there are no legal protections for the researcher yet. What observers see A public VDP document at a stable URL (often /security/ or /security/policy) Scope language — what’s in, what’s out A concrete submission channel (form, email, platform) Expected response cadence or triage commitments No safe harbor language, OR only passive “we appreciate research” language with no legal commitment Researcher protection None legally.https://disclose.io/framework/maturity/level-3/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-3/The policy makes a promise not to pursue legal action against researchers acting in good faith. The key word is promissory — language like “we will not pursue” or “we will not take legal action.” This is where researcher protection begins. However, it stops short of explicitly authorising testing — think of it as “you’re safe to report” rather than “you’re safe to test.” The protection is real but incomplete.https://disclose.io/framework/maturity/level-4/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-4/The meaningful legal leap. The organisation doesn’t just promise not to sue — it explicitly grants permission to test, and carves out exemptions from the specific laws that typically get researchers in trouble: Anti-hacking laws (CFAA, CMA, or equivalent) Anti-circumvention laws (DMCA, or equivalent) The organisation’s own Terms of Service / AUP Scope, compensation, communication channels, and disclosure process are all clearly defined. A researcher can point to this policy as a legal defence.https://disclose.io/framework/maturity/level-5/Mon, 01 Jan 0001 00:00:00 +0000https://disclose.io/framework/maturity/level-5/Everything in Level 4, plus a proactive, public coordinated disclosure timeline — typically 90 days — with a defined process for adjusting it. This creates accountability on the organisation’s side of the equation: researchers know that even if a vendor is slow to act, the vulnerability will eventually see daylight. It transforms the relationship from reactive to collaborative. What observers see Everything in Level 4 A published coordinated-disclosure timeline (commonly 90 days, sometimes 120) A defined extension mechanism — what justifies extending, how it’s negotiated, what the cap is An explicit commitment to public disclosure if the timeline is not met Typically: a CVE issuance process, advisory authoring, researcher credit norms Researcher protection Full — for testing and disclosure.