|Headquarters||San Francisco, LA|
Disclose.io is a security standardization project launched in 2018. It was created to facilitate the creation and maintenance of open-source and free of cost legal policies and tools, accessible to all the community members.
disclose.io is built on the CipherLaw’s Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, Dropbox’s call to protect security researchers, and Bugcrowd. This project was initiated to improvise security research policies of businesses and to reduce criminal activity.
Disclose.io was started with the aim to offer a legal framework that protects organizations and researchers engaged in vulnerability disclosure programs. In 2016, Bugclowd collaborated with Cipherlaw to execute this idea. A year later, an Open Source Vulnerability Disclosure Framework (OSVDB) was released. In 2018 Amit Elezari, a leading Cybersecurity specialist, initiated #legalbugbounty, intending to offer safe harbor to security researchers within bug bounty and vulnerability disclosure programs (VDPs). In the same year, disclose.io was launched as a rollup of legalbugbounty and the OSVDF.
Disclose.io established clear language before launching a program that helps the organizations to avoid illegal practices like extortion and save them from any potential reputational damage. This project encourages the white hat hacker community to find vulnerabilities in the system.
Since its inception, disclose.io has been adopted by several businesses including, the co-signatories of the Voatz letter - ES&S, Dominion, and Hart INtercivic. The safe harbor language of disclose.io has also been adopted by CISA. Not only that, but disclose.io has also influenced several other open-source projects such as the repos on vulnerability disclosure programs and bug bounty templates.
The disclose.io terms live in repos on GitHub and are updated by the community and members of the disclose.io project. Companies update their VDP policies with the safeharbor terms, update their listing in the disclose.io database, and places the appropriate seal on their website.
In the media
- "Bugcrowd Launches Disclose.io Open-Source Vulnerability Disclosure Framework to Provide a Safe Harbor for White Hat Hackers". GlobeNewswire News Room. 2 August 2018. Retrieved 4 February 2021.
- "Bugcrowd Releases Open Source Responsible Disclosure Framework". www.prnewswire.com. Retrieved 4 February 2021.
- "twitter". Retrieved 4 February 2021.
- "bugcrowd/disclosure-policy". Bugcrowd. 19 January 2021. Retrieved 4 February 2021.
- Hawkins, Derek. "Analysis | The Cybersecurity 202: The law doesn't protect ethical hackers. This new project could help close that gap". Washington Post. Retrieved 4 February 2021.
- Elazari, Amit (11 June 2020). "Amitelazari/Legal-bug-bounty". Retrieved 4 February 2021.
- "criminal-ccips". Retrieved 4 February 2021.
- Website, Amit Elazari Official. "Amit Elazari Official Website". Amit Elazari. Retrieved 4 February 2021.
- "Dropbox revamps vulnerability disclosure policy, with hopes that other companies follow suit". CyberScoop. 21 March 2018. Retrieved 4 February 2021.
- Porup, J. M. (7 August 2018). "Do you need a vulnerability disclosure program? The feds say yes". CSO Online. Retrieved 4 February 2021.
- Osborne, Charlie. "Disclose.io: A safe harbor for hackers disclosing security vulnerabilities". ZDNet. Retrieved 4 February 2021.
- "Open Source Collaborative Hopes to Make Reporting Security Bugs Safer for All". Total Security Advisor. 29 January 2019. Retrieved 4 February 2021.