Level 2 — Basic VDP

Public policy document and a real submission channel. No legal protection.

Source: disclose/dioterms License: CC0-1.0 Replace [bracketed] values with your own.

There is an actual, publicly accessible document describing how the organisation wants vulnerabilities reported, plus a real communication channel to do it through. The intent is in writing. This is the minimum threshold to be considered a functioning Vulnerability Disclosure Program — but there are no legal protections for the researcher yet.

What observers see

  • A public VDP document at a stable URL (often /security/ or /security/policy)
  • Scope language — what’s in, what’s out
  • A concrete submission channel (form, email, platform)
  • Expected response cadence or triage commitments
  • No safe harbor language, OR only passive “we appreciate research” language with no legal commitment

Researcher protection

None legally. The policy exists as a statement of intent. A researcher doing good-faith testing still has no defence against a CFAA claim, a DMCA claim, or a TOS-based action.

Path to Level 3

Add language that promises the organisation will not pursue legal action against researchers who act in good faith and follow the policy. See terms/core-vdp.md sections on Safe Harbor for baseline language.