disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research.

The project expands on the work done by Bugcrowd and CipherLaw’s Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, and Dropbox’s call to protect security researchers.

Our framework is designed to balance:

  • Legal completeness
  • Safe harbor for researchers
  • Safe harbor for program owners
  • Readability… For those without a legal background or who don’t speak English as their first language. In short, everyone.

Organizations displaying the disclose.io logo are committing to a set of core terms focused on creating safe harbor for good-faith security research.

In order to uphold this commitment, such organizations are required to provide:

  • Clear definitions regarding the permitted Scope.
  • One or more Official Communication Channels.
  • A formal Disclosure Policy.