Level 5 — Full Safe Harbor + CVD

Level 4 plus a public coordinated-disclosure timeline. Accountable.

Source: disclose/dioterms License: CC0-1.0 Replace [bracketed] values with your own.

On this page

Everything in Level 4, plus a proactive, public coordinated disclosure timeline — typically 90 days — with a defined process for adjusting it. This creates accountability on the organisation’s side of the equation: researchers know that even if a vendor is slow to act, the vulnerability will eventually see daylight. It transforms the relationship from reactive to collaborative.

What observers see

  • Everything in Level 4
  • A published coordinated-disclosure timeline (commonly 90 days, sometimes 120)
  • A defined extension mechanism — what justifies extending, how it’s negotiated, what the cap is
  • An explicit commitment to public disclosure if the timeline is not met
  • Typically: a CVE issuance process, advisory authoring, researcher credit norms

Researcher protection

Full — for testing and disclosure. A researcher at Level 5 has:

  • Authorised access for testing (Level 4 properties)
  • A predictable path to public disclosure that doesn’t require consent from the vendor
  • Accountability on both sides: the organisation must actually act, or the vulnerability becomes public

Beyond Level 5

diostatus stops at 5 intentionally — the jump from “no program” to Level 5 is already a years-long journey for most organisations. Beyond Level 5, differences become practice- and culture-based rather than policy-based:

  • Proactive outreach to researchers
  • Published payout scales (for BBPs)
  • Public transparency reports
  • Participation in industry-wide CVD coordination (CERT/CC, national CSIRTs, multi-party disclosure)

See practices/ for operational guidance beyond the policy surface.