The disclose.io Universe
The open standard for safe harbor vulnerability disclosure — and the ecosystem that makes it real.
The disclose.io project is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-agnostic, practitioner-first playbook for coordinated vulnerability disclosure.
Below is the full ecosystem. Every component answers a real question someone asks when they hit the VDP wall.
Core
- disclose.io — the framework, docs, and project home
- directory.disclose.io — the canonical disclose.io database of programs and platforms
- disclose.io/programs — curated programs with safe harbor language
- disclose.io/platforms — bug bounty platforms supporting safe harbor
- disclose.io/threats — research on legal threats to security researchers
- disclose.io/history — 20+ years of coordinated disclosure
Tools
- lookup.disclose.io — vendor → security contact, program, and safe harbor status
- dnssecuritytxt.org — DNS-based security contact discovery
Community
- community.disclose.io — the forum
- blog.disclose.io — updates, commentary, and research
Open source
- dioterms — safe harbor policy templates
- diodb — open database of disclosure programs
- policymaker.disclose.io — guided VDP policy generator
Legal backstop
- SRLDF — Security Research Legal Defense Fund
Contribute, ask questions, or start a program: [email protected].
