From 9e4d6ca776077c3e99305eac040ccc6a4cd98cb0 Mon Sep 17 00:00:00 2001 From: yesnet0 <12779999+yesnet0@users.noreply.github.com> Date: Sun, 5 Jul 2026 04:26:56 -0700 Subject: [PATCH 1/4] Realign front-door copy to the 2026 mission/deck + make dev auth wall opt-in - Hero tagline now leads with the infrastructure framing (powers vulnerability disclosure and security reporting, Internet-wide) while keeping the safe/simple/standardized triad, plus a subtle supporting line (open/est-2018, 27,583 orgs tracked, the Fortune 100 safe-harbor scoreboard). - what-is-disclose / vision-and-mission / key-objectives / universe rewritten to the deck framing: provenance (2014 lineage, 2018 founded, 2020 dioterms CC0), the ecosystem (standards/tools/data/measurement/commons), and the F100/ASX100/FTSE100 safe-harbor scoreboard. Footer blurb, site meta and llms.txt aligned to the same wording. - The "I found a vulnerability" card retargeted from directory to lookup.disclose.io (a finder's first need is who to report to). - Footer resources gain Directory, Scoreboard and Vault. - functions/_middleware.ts: the basic-auth wall is now OPT-IN (enforces only when REQUIRE_AUTH=true) so dev.disclose.io serves ungated. noindex is still enforced via static/_headers. Look and feel unchanged (copy, one muted supporting line, three footer links). preview branch only; live disclose.io (main) is unaffected. --- config/_default/menus.toml | 15 +++++++++++++++ config/_default/params.toml | 2 +- content/_index.md | 5 +++-- content/docs/key-objectives.md | 4 ++-- content/docs/vision-and-mission.md | 12 +++++++----- content/docs/what-is-disclose.md | 18 +++++++++++++++--- content/faqs/how-to-interact.md | 2 +- content/universe.md | 16 ++++++++++------ data/navigation/boxes.yaml | 4 ++-- functions/_middleware.ts | 24 ++++++++++++++++-------- layouts/partials/footer.html | 2 +- layouts/partials/hero.html | 7 +++++++ static/llms.txt | 9 +++++---- 13 files changed, 85 insertions(+), 35 deletions(-) diff --git a/config/_default/menus.toml b/config/_default/menus.toml index cad38e9..df027cd 100644 --- a/config/_default/menus.toml +++ b/config/_default/menus.toml @@ -118,6 +118,21 @@ url = "/history/" weight = 40 +[[footer_resources]] + name = "Directory" + url = "https://directory.disclose.io" + weight = 45 + +[[footer_resources]] + name = "Scoreboard" + url = "https://state.disclose.io" + weight = 50 + +[[footer_resources]] + name = "Vault" + url = "https://vault.disclose.io" + weight = 55 + # Footer navigation - Community [[footer_community]] name = "GitHub" diff --git a/config/_default/params.toml b/config/_default/params.toml index 3a5ac41..4b1934f 100644 --- a/config/_default/params.toml +++ b/config/_default/params.toml @@ -1,5 +1,5 @@ # Site metadata -description = "disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for security researchers." +description = "disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere." author = "disclose.io" # Social/SEO diff --git a/content/_index.md b/content/_index.md index abb1349..b6bb759 100644 --- a/content/_index.md +++ b/content/_index.md @@ -1,9 +1,10 @@ --- title: "disclose.io" -description: "We're here to make vulnerability disclosure safe, simple, and standardized for everyone." +description: "disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere." hero: title: "disclose.io" - subtitle: "We're here to make vulnerability disclosure safe, simple, and standardized for everyone." + subtitle: "We're the infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — making it safe, simple, and standardized for researchers and organizations everywhere." + supporting: "Open source and vendor-neutral since 2018 · 27,583 disclosure programs tracked · home of the Fortune 100 safe-harbor scoreboard." image: "uploads/tug-of-war.png" search: true buttons: diff --git a/content/docs/key-objectives.md b/content/docs/key-objectives.md index d29414a..1b20fd5 100644 --- a/content/docs/key-objectives.md +++ b/content/docs/key-objectives.md @@ -8,7 +8,7 @@ weight: 40 - **Create a vibrant community** that blends [security researchers, policymakers, lawyers, and technology vendors](https://community.disclose.io) to foster collaboration, and creates high-quality tools and data that support a virtuous cycle. - Help organizations **promote adoption and excellence** to their customers, industry peers, and the security community. -- Maintain a [vulnerability disclosure policy maturity model](/docs/diostatus/) and **create a "race to the top"** for VDP adoption and the implementation of best practice. -- **Be the system of record** for the Disclose.io Status of a policy, provide easy mechanisms for anyone to lookup a target/organization, or to update their status. +- Maintain a [vulnerability disclosure policy maturity model](/framework/maturity/) and **create a "race to the top"** for VDP adoption and the implementation of best practice — published as the evidence-backed [Fortune 100 / ASX 100 / FTSE 100 scoreboard](https://state.disclose.io/top-100/). +- **Be the [open system of record](https://directory.disclose.io)** for the disclosure status of every program, and give anyone an easy way to [look up a target/organization](https://lookup.disclose.io) or update their status. - **Drive the state of the art** in thinking around legal risks faced for security researchers and the steps organizations can take to reduce them. - [Make tools and techniques](https://github.com/disclose) **freely available** to technology vendors to ease the socialization and adoption of VDP. diff --git a/content/docs/vision-and-mission.md b/content/docs/vision-and-mission.md index f480133..407c1fc 100644 --- a/content/docs/vision-and-mission.md +++ b/content/docs/vision-and-mission.md @@ -1,15 +1,17 @@ --- title: "Vision and Mission" -description: "Our vision for a healthy Internet Immune System." +description: "Make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere." weight: 20 --- -## Vision +## Mission -> A healthy and ubiquitous Internet Immune System enabled by security research, reporting, and disclosure. +> Make vulnerability disclosure **safe, simple, and standardized** for researchers and organizations everywhere — the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. -## Mission +## Vision + +> A world where every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping. -> To standardize and promote Neighborhood Watch for the Internet. +Or, as we've long put it: a healthy and ubiquitous **Internet Immune System** enabled by security research, reporting, and disclosure — "Neighborhood Watch for the Internet." ![disclose.io timeline](/uploads/diotimeline.png) diff --git a/content/docs/what-is-disclose.md b/content/docs/what-is-disclose.md index 7cc1141..b2cf2b5 100644 --- a/content/docs/what-is-disclose.md +++ b/content/docs/what-is-disclose.md @@ -1,20 +1,30 @@ --- title: "What is disclose.io" slug: "what-is-disclose.io" -description: "A cross-industry, vendor-agnostic standardization project for safe harbor best practices." +description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide." weight: 10 aliases: - /docs/ --- -Disclose.io is a **cross-industry, vendor-agnostic standardization project** for safe harbor best practices to enable good-faith security research. +Disclose.io is the **open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — Internet-wide.** We make disclosure **safe, simple, and standardized** for researchers and organizations everywhere. ![tug-of-war 2021](/uploads/tug-of-war.jpg) -We provide free, open-source tools and data to help **establish and improve vulnerability disclosure programs** and an easily recognizable seal for those taking part in "Neighbourhood Watch for the Internet." +We didn't join this movement — we helped start it. The first open-source vulnerability disclosure framework, with bilateral safe harbor in its very first commit (2014), is the direct ancestor of the disclose.io terms. disclose.io was founded in **2018** as the vendor-neutral home to standardize safe harbor for *everyone* — not one platform's customers — and in **2020** published the **dioterms**: lawyer-reviewed, CC0 safe-harbor language, free for any organization on earth. ![tug-of-war 2026](/uploads/becausemath-2026.png) +## An ecosystem, not a page + +disclose.io is one mission across a family of open, vendor-neutral properties — the shared infrastructure the disclosure ecosystem runs on: + +- **Standards** — [dioterms](https://github.com/disclose/dioterms) (CC0 safe-harbor language) and [dnssecuritytxt](https://dnssecuritytxt.org) (security contact at the DNS layer). +- **Tools** — [policymaker](https://policymaker.disclose.io) (generate a VDP, security.txt, and DNS Security TXT), [lookup](https://lookup.disclose.io) (resolve any asset to its security contact), and [vault](https://vault.disclose.io) (cryptographically-enforced coordinated disclosure). +- **Data** — [directory.disclose.io](https://directory.disclose.io), the open **system of record** for every known VDP and bug bounty program. +- **Measurement** — [state.disclose.io](https://state.disclose.io) and the [Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard](https://state.disclose.io/top-100/): an evidence-backed, zero-hallucination audit of how the world's biggest companies actually handle disclosure. +- **The record & the commons** — [/threats](/threats) (the public archive of legal threats against researchers), [community.disclose.io](https://community.disclose.io), and the weekly [PolicyPulse](https://blog.disclose.io). + ## Powered by experts With the help of expert maintainers and by harnessing the power of open-source, disclose.io provides: @@ -22,3 +32,5 @@ With the help of expert maintainers and by harnessing the power of open-source, - **Free boilerplate policies**, tools, contact lists, and data-sets; - A **straight-forward maturity model** with recognition of all levels of best practice adoption, and - **Centralized assistance, information**, activism, advocacy for security researchers and those wanting to report security issues. + +Today the directory tracks **27,583 organizations and programs** — and only **10 of the Fortune 100** (ASX 100: six; FTSE 100: three) offer researchers true legal safe harbor. That gap is the reason this infrastructure exists. diff --git a/content/faqs/how-to-interact.md b/content/faqs/how-to-interact.md index 62946f1..a7df247 100644 --- a/content/faqs/how-to-interact.md +++ b/content/faqs/how-to-interact.md @@ -10,4 +10,4 @@ Glad you asked! - Help us keep "The Big List" of known VDPs and bug bounty programs up-to-date by submitting a PR to the dioterms repo - Contribute to the dioterms open-source vulnerability disclosure policy by raising an issue on the repo… or add a language or regional legal translation by submitting a PR - Volunteer as a core contributor/maintainer on one of our existing projects -- Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized. +- Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. diff --git a/content/universe.md b/content/universe.md index cd12153..ae6fc66 100644 --- a/content/universe.md +++ b/content/universe.md @@ -3,7 +3,7 @@ title: "The disclose.io Universe" description: "The open standard for safe harbor vulnerability disclosure — and the ecosystem that makes it real." --- -The disclose.io project is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-agnostic, practitioner-first playbook for coordinated vulnerability disclosure. +The disclose.io project is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-neutral, practitioner-first playbook for coordinated vulnerability disclosure. It's the open infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. Below is the full ecosystem. Every component answers a real question someone asks when they hit the VDP wall. @@ -15,26 +15,30 @@ Below is the full ecosystem. Every component answers a real question someone ask ## Core - [disclose.io](/) — the framework, docs, and project home -- [directory.disclose.io](https://directory.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=directory) — the canonical disclose.io database of programs and platforms +- [directory.disclose.io](https://directory.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=directory) — the open **system of record** for every known VDP and bug bounty program +- [state.disclose.io](https://state.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=state) — ecosystem maturity metrics + the evidence-backed [Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard](https://state.disclose.io/top-100/) - [disclose.io/programs](/programs) — curated programs with safe harbor language - [disclose.io/platforms](/platforms) — bug bounty platforms supporting safe harbor -- [disclose.io/threats](/threats) — research on legal threats to security researchers +- [disclose.io/threats](/threats) — the public archive of legal threats to security researchers - [disclose.io/history](/history) — 20+ years of coordinated disclosure ## Tools - [lookup.disclose.io](https://lookup.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=lookup) — vendor → security contact, program, and safe harbor status +- [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker) — guided VDP policy, security.txt, and DNS Security TXT generator +- [vault.disclose.io](https://vault.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=vault) — cryptographically-enforced coordinated disclosure with deadline enforcement - [dnssecuritytxt.org](https://dnssecuritytxt.org?utm_source=universe&utm_medium=onepager&utm_campaign=dnssecuritytxt) — DNS-based security contact discovery ## Community - [community.disclose.io](https://community.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=community) — the forum -- [blog.disclose.io](https://blog.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=blog) — updates, commentary, and research +- [blog.disclose.io](https://blog.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=blog) — PolicyPulse and commentary ("Running With Scissors") +- [dates.disclose.io](https://dates.disclose.io/upcoming-dates.ics) — the shared disclosure calendar (subscribable ICS) ## Open source -- [dioterms](https://github.com/disclose/dioterms?utm_source=universe&utm_medium=onepager&utm_campaign=dioterms) — safe harbor policy templates -- [diodb](https://github.com/disclose/diodb?utm_source=universe&utm_medium=onepager&utm_campaign=diodb) — open database of disclosure programs +- [dioterms](https://github.com/disclose/dioterms?utm_source=universe&utm_medium=onepager&utm_campaign=dioterms) — CC0, lawyer-reviewed safe harbor policy templates +- [diodb](https://github.com/disclose/diodb?utm_source=universe&utm_medium=onepager&utm_campaign=diodb) — legacy open dataset (superseded by [directory.disclose.io](https://directory.disclose.io) as the system of record) - [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker) — guided VDP policy generator ## Legal backstop diff --git a/data/navigation/boxes.yaml b/data/navigation/boxes.yaml index e440df4..3fd5e79 100644 --- a/data/navigation/boxes.yaml +++ b/data/navigation/boxes.yaml @@ -6,9 +6,9 @@ url: "https://policymaker.disclose.io" - title: "I found a vulnerability" - description: "Look up the organization's disclosure program, check their safe harbor status, and get help navigating the process if you need it." + description: "Look up who to report to. Lookup resolves any asset to its security contact, disclosure program, and safe harbor status — and helps you navigate the process." icon: "search" - url: "https://directory.disclose.io" + url: "https://lookup.disclose.io" - title: "I'm researching a program" description: "Browse the open directory of every known vulnerability disclosure and bug bounty program, with scope, policy URLs, and safe-harbor language." diff --git a/functions/_middleware.ts b/functions/_middleware.ts index ed95995..a8d7296 100644 --- a/functions/_middleware.ts +++ b/functions/_middleware.ts @@ -1,17 +1,20 @@ /** - * dev.disclose.io basic-auth wall. + * dev.disclose.io basic-auth wall — OPT-IN (disabled by default). * - * Runs on every request to the Cloudflare Pages deployment. Reads credentials - * from the BASIC_AUTH_USERS env var (one `user:password` per line, blank lines - * and `#`-comments ignored). Returns 401 with WWW-Authenticate when missing or - * invalid; calls next() to serve the static asset on success. + * The wall only enforces when REQUIRE_AUTH === "true". When enabled it reads + * credentials from BASIC_AUTH_USERS (one `user:password` per line, blank lines + * and `#`-comments ignored), returns 401 with WWW-Authenticate on missing/ + * invalid creds, 503 if enabled but no users are configured, and calls next() + * on success. * - * Fail-closed: if BASIC_AUTH_USERS is unset or empty, every request returns - * 503 "Setup required". This guarantees the dev preview cannot be public for - * the gap between Pages project creation and the env var being set. + * dev.disclose.io is intentionally public (Casey, 2026-07-05): REQUIRE_AUTH is + * unset, so requests pass straight through. noindex is still enforced via + * static/_headers. To re-enable the wall on any environment, set + * REQUIRE_AUTH="true" and BASIC_AUTH_USERS on that Pages project. */ interface Env { + REQUIRE_AUTH?: string; BASIC_AUTH_USERS?: string; } @@ -20,6 +23,11 @@ const REALM = "dev.disclose.io"; export const onRequest: PagesFunction = async (context) => { const { request, next, env } = context; + // Opt-in gate: the wall stays off unless explicitly enabled. + if (env.REQUIRE_AUTH !== "true") { + return next(); + } + const configured = parseUsers(env.BASIC_AUTH_USERS ?? ""); if (configured.length === 0) { return setupRequired(); diff --git a/layouts/partials/footer.html b/layouts/partials/footer.html index 256135a..513180f 100644 --- a/layouts/partials/footer.html +++ b/layouts/partials/footer.html @@ -7,7 +7,7 @@ disclose.io

- disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for security researchers. + disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere. Open source since 2018.

diff --git a/layouts/partials/hero.html b/layouts/partials/hero.html index 9280fc2..12870eb 100644 --- a/layouts/partials/hero.html +++ b/layouts/partials/hero.html @@ -21,6 +21,13 @@

+ {{ . }} +

+ {{ end }}

diff --git a/static/llms.txt b/static/llms.txt index 9771d01..0116c2f 100644 --- a/static/llms.txt +++ b/static/llms.txt @@ -1,14 +1,15 @@ # disclose.io -> disclose.io is a collaborative, vendor-agnostic project to standardize best practices around safe harbor for security researchers engaged in good-faith vulnerability disclosure. +> disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere. -We maintain open-source databases, policy templates, and educational resources to make vulnerability disclosure safe, simple, and standardized for everyone. A fuller machine-readable corpus is available at [llms-full.txt](https://disclose.io/llms-full.txt). +We maintain open-source databases, policy templates, tools, and educational resources to make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. A fuller machine-readable corpus is available at [llms-full.txt](https://disclose.io/llms-full.txt). ## Open Databases - [Bug Bounty Platforms](https://disclose.io/platforms/): Community-curated directory of every known bug bounty, vulnerability disclosure, and crowdsourced security platform. Open-source at github.com/disclose/bug-bounty-platforms. - [VDP Programs](https://disclose.io/programs/): The largest open directory of vulnerability disclosure and bug bounty programs on the public internet. Each entry includes scope, policy URL, and safe-harbor language. Powers lookup.disclose.io. - [Research Threats](https://disclose.io/threats/): Canonical public archive of legal threats made against security researchers engaged in good-faith vulnerability disclosure. Open-source at github.com/disclose/research-threats. +- [State of Disclosure / Scoreboard](https://state.disclose.io): Ecosystem maturity metrics plus the evidence-backed Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard (state.disclose.io/top-100). ## The Framework @@ -22,8 +23,8 @@ We maintain open-source databases, policy templates, and educational resources t ## Documentation -- [What is disclose.io](https://disclose.io/docs/what-is-disclose/): A cross-industry, vendor-agnostic standardization project for safe harbor best practices. -- [Vision and Mission](https://disclose.io/docs/vision-and-mission/): The vision for a healthy Internet Immune System. +- [What is disclose.io](https://disclose.io/docs/what-is-disclose/): The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. +- [Vision and Mission](https://disclose.io/docs/vision-and-mission/): Make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. - [Design Strategy](https://disclose.io/docs/design-strategy/): Design principles for making secure easy and insecure obvious. - [Key Objectives](https://disclose.io/docs/key-objectives/): The key objectives driving the disclose.io project. - [For Finders and Hackers](https://disclose.io/docs/for-finders-and-hackers/): How disclose.io helps security researchers and finders. From 9c91237b63f3a5871ef32431de22848f4a608119 Mon Sep 17 00:00:00 2001 From: yesnet0 <12779999+yesnet0@users.noreply.github.com> Date: Sun, 5 Jul 2026 04:42:08 -0700 Subject: [PATCH 2/4] Tighten front-door copy and drop drift-prone stats - Remove hard numbers that would go stale: org totals (27,583), the Fortune 100 / ASX 100 / FTSE 100 tallies, and founding years. The scoreboard is now referred to qualitatively ("safe-harbor scoreboard for the world's biggest companies"). - Tighten everything for a wide, mixed audience: shorter hero tagline and supporting line, condensed what-is / vision-and-mission / key-objectives, and "for everyone" in place of longer phrasings. - No look/feel change; preview branch only. --- config/_default/params.toml | 2 +- content/_index.md | 6 +++--- content/docs/key-objectives.md | 4 ++-- content/docs/vision-and-mission.md | 8 ++++---- content/docs/what-is-disclose.md | 30 ++++++++++++++---------------- content/faqs/how-to-interact.md | 2 +- content/universe.md | 2 +- layouts/partials/footer.html | 2 +- static/llms.txt | 10 +++++----- 9 files changed, 32 insertions(+), 34 deletions(-) diff --git a/config/_default/params.toml b/config/_default/params.toml index 4b1934f..44b8cc6 100644 --- a/config/_default/params.toml +++ b/config/_default/params.toml @@ -1,5 +1,5 @@ # Site metadata -description = "disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere." +description = "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." author = "disclose.io" # Social/SEO diff --git a/content/_index.md b/content/_index.md index b6bb759..23f7860 100644 --- a/content/_index.md +++ b/content/_index.md @@ -1,10 +1,10 @@ --- title: "disclose.io" -description: "disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere." +description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." hero: title: "disclose.io" - subtitle: "We're the infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — making it safe, simple, and standardized for researchers and organizations everywhere." - supporting: "Open source and vendor-neutral since 2018 · 27,583 disclosure programs tracked · home of the Fortune 100 safe-harbor scoreboard." + subtitle: "The infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." + supporting: "Open source · vendor-neutral · home of the safe-harbor scoreboard." image: "uploads/tug-of-war.png" search: true buttons: diff --git a/content/docs/key-objectives.md b/content/docs/key-objectives.md index 1b20fd5..45f0503 100644 --- a/content/docs/key-objectives.md +++ b/content/docs/key-objectives.md @@ -8,7 +8,7 @@ weight: 40 - **Create a vibrant community** that blends [security researchers, policymakers, lawyers, and technology vendors](https://community.disclose.io) to foster collaboration, and creates high-quality tools and data that support a virtuous cycle. - Help organizations **promote adoption and excellence** to their customers, industry peers, and the security community. -- Maintain a [vulnerability disclosure policy maturity model](/framework/maturity/) and **create a "race to the top"** for VDP adoption and the implementation of best practice — published as the evidence-backed [Fortune 100 / ASX 100 / FTSE 100 scoreboard](https://state.disclose.io/top-100/). -- **Be the [open system of record](https://directory.disclose.io)** for the disclosure status of every program, and give anyone an easy way to [look up a target/organization](https://lookup.disclose.io) or update their status. +- Maintain a [maturity model](/framework/maturity/) and drive a **race to the top** — published as the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/). +- **Be the [open system of record](https://directory.disclose.io)** for every program's disclosure status, and let anyone [look one up](https://lookup.disclose.io) or update it. - **Drive the state of the art** in thinking around legal risks faced for security researchers and the steps organizations can take to reduce them. - [Make tools and techniques](https://github.com/disclose) **freely available** to technology vendors to ease the socialization and adoption of VDP. diff --git a/content/docs/vision-and-mission.md b/content/docs/vision-and-mission.md index 407c1fc..74fa06b 100644 --- a/content/docs/vision-and-mission.md +++ b/content/docs/vision-and-mission.md @@ -1,17 +1,17 @@ --- title: "Vision and Mission" -description: "Make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere." +description: "Make vulnerability disclosure safe, simple, and standardized for everyone." weight: 20 --- ## Mission -> Make vulnerability disclosure **safe, simple, and standardized** for researchers and organizations everywhere — the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. +> Make vulnerability disclosure **safe, simple, and standardized** for everyone — the open, vendor-neutral infrastructure that powers disclosure and security reporting. ## Vision -> A world where every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping. +> Every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping. -Or, as we've long put it: a healthy and ubiquitous **Internet Immune System** enabled by security research, reporting, and disclosure — "Neighborhood Watch for the Internet." +Our shorthand: a healthy **Internet Immune System** — "Neighborhood Watch for the Internet." ![disclose.io timeline](/uploads/diotimeline.png) diff --git a/content/docs/what-is-disclose.md b/content/docs/what-is-disclose.md index b2cf2b5..e614d42 100644 --- a/content/docs/what-is-disclose.md +++ b/content/docs/what-is-disclose.md @@ -1,36 +1,34 @@ --- title: "What is disclose.io" slug: "what-is-disclose.io" -description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide." +description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting." weight: 10 aliases: - /docs/ --- -Disclose.io is the **open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — Internet-wide.** We make disclosure **safe, simple, and standardized** for researchers and organizations everywhere. +disclose.io is the **open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting.** We make it **safe, simple, and standardized** for everyone. ![tug-of-war 2021](/uploads/tug-of-war.jpg) -We didn't join this movement — we helped start it. The first open-source vulnerability disclosure framework, with bilateral safe harbor in its very first commit (2014), is the direct ancestor of the disclose.io terms. disclose.io was founded in **2018** as the vendor-neutral home to standardize safe harbor for *everyone* — not one platform's customers — and in **2020** published the **dioterms**: lawyer-reviewed, CC0 safe-harbor language, free for any organization on earth. +We didn't join this movement — we started it. disclose.io is the vendor-neutral home for safe harbor, and we publish the free, lawyer-reviewed policy language (**dioterms**, CC0) the ecosystem runs on. ![tug-of-war 2026](/uploads/becausemath-2026.png) -## An ecosystem, not a page +## One mission, many tools -disclose.io is one mission across a family of open, vendor-neutral properties — the shared infrastructure the disclosure ecosystem runs on: +Open, vendor-neutral properties, each answering a real question: -- **Standards** — [dioterms](https://github.com/disclose/dioterms) (CC0 safe-harbor language) and [dnssecuritytxt](https://dnssecuritytxt.org) (security contact at the DNS layer). -- **Tools** — [policymaker](https://policymaker.disclose.io) (generate a VDP, security.txt, and DNS Security TXT), [lookup](https://lookup.disclose.io) (resolve any asset to its security contact), and [vault](https://vault.disclose.io) (cryptographically-enforced coordinated disclosure). -- **Data** — [directory.disclose.io](https://directory.disclose.io), the open **system of record** for every known VDP and bug bounty program. -- **Measurement** — [state.disclose.io](https://state.disclose.io) and the [Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard](https://state.disclose.io/top-100/): an evidence-backed, zero-hallucination audit of how the world's biggest companies actually handle disclosure. -- **The record & the commons** — [/threats](/threats) (the public archive of legal threats against researchers), [community.disclose.io](https://community.disclose.io), and the weekly [PolicyPulse](https://blog.disclose.io). +- **Standards** — [dioterms](https://github.com/disclose/dioterms) (safe-harbor language) and [dnssecuritytxt](https://dnssecuritytxt.org) (contacts at the DNS layer). +- **Tools** — [policymaker](https://policymaker.disclose.io) (draft a policy), [lookup](https://lookup.disclose.io) (find who to report to), and [vault](https://vault.disclose.io) (coordinate disclosure). +- **Data** — [directory.disclose.io](https://directory.disclose.io), the open system of record for every program. +- **Measurement** — [state.disclose.io](https://state.disclose.io), the safe-harbor scoreboard for the world's biggest companies. +- **Record & commons** — [/threats](/threats), [community.disclose.io](https://community.disclose.io), and the weekly [PolicyPulse](https://blog.disclose.io). ## Powered by experts -With the help of expert maintainers and by harnessing the power of open-source, disclose.io provides: +Open-source and expert-maintained, disclose.io provides: -- **Free boilerplate policies**, tools, contact lists, and data-sets; -- A **straight-forward maturity model** with recognition of all levels of best practice adoption, and -- **Centralized assistance, information**, activism, advocacy for security researchers and those wanting to report security issues. - -Today the directory tracks **27,583 organizations and programs** — and only **10 of the Fortune 100** (ASX 100: six; FTSE 100: three) offer researchers true legal safe harbor. That gap is the reason this infrastructure exists. +- **Free** policies, tools, contact lists, and data; +- A **maturity model** that recognizes every level of adoption; and +- **Help** for researchers and anyone reporting a security issue. diff --git a/content/faqs/how-to-interact.md b/content/faqs/how-to-interact.md index a7df247..f7764db 100644 --- a/content/faqs/how-to-interact.md +++ b/content/faqs/how-to-interact.md @@ -10,4 +10,4 @@ Glad you asked! - Help us keep "The Big List" of known VDPs and bug bounty programs up-to-date by submitting a PR to the dioterms repo - Contribute to the dioterms open-source vulnerability disclosure policy by raising an issue on the repo… or add a language or regional legal translation by submitting a PR - Volunteer as a core contributor/maintainer on one of our existing projects -- Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. +- Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized for everyone. diff --git a/content/universe.md b/content/universe.md index ae6fc66..bebfe5a 100644 --- a/content/universe.md +++ b/content/universe.md @@ -16,7 +16,7 @@ Below is the full ecosystem. Every component answers a real question someone ask - [disclose.io](/) — the framework, docs, and project home - [directory.disclose.io](https://directory.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=directory) — the open **system of record** for every known VDP and bug bounty program -- [state.disclose.io](https://state.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=state) — ecosystem maturity metrics + the evidence-backed [Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard](https://state.disclose.io/top-100/) +- [state.disclose.io](https://state.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=state) — maturity metrics + the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/) - [disclose.io/programs](/programs) — curated programs with safe harbor language - [disclose.io/platforms](/platforms) — bug bounty platforms supporting safe harbor - [disclose.io/threats](/threats) — the public archive of legal threats to security researchers diff --git a/layouts/partials/footer.html b/layouts/partials/footer.html index 513180f..78d5a2a 100644 --- a/layouts/partials/footer.html +++ b/layouts/partials/footer.html @@ -7,7 +7,7 @@ disclose.io

- disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere. Open source since 2018. + The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone.

diff --git a/static/llms.txt b/static/llms.txt index 0116c2f..d6a9a4d 100644 --- a/static/llms.txt +++ b/static/llms.txt @@ -1,15 +1,15 @@ # disclose.io -> disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere. +> disclose.io is the open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone. -We maintain open-source databases, policy templates, tools, and educational resources to make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. A fuller machine-readable corpus is available at [llms-full.txt](https://disclose.io/llms-full.txt). +We maintain open-source databases, policy templates, tools, and resources to make vulnerability disclosure safe, simple, and standardized for everyone. A fuller machine-readable corpus is available at [llms-full.txt](https://disclose.io/llms-full.txt). ## Open Databases - [Bug Bounty Platforms](https://disclose.io/platforms/): Community-curated directory of every known bug bounty, vulnerability disclosure, and crowdsourced security platform. Open-source at github.com/disclose/bug-bounty-platforms. - [VDP Programs](https://disclose.io/programs/): The largest open directory of vulnerability disclosure and bug bounty programs on the public internet. Each entry includes scope, policy URL, and safe-harbor language. Powers lookup.disclose.io. - [Research Threats](https://disclose.io/threats/): Canonical public archive of legal threats made against security researchers engaged in good-faith vulnerability disclosure. Open-source at github.com/disclose/research-threats. -- [State of Disclosure / Scoreboard](https://state.disclose.io): Ecosystem maturity metrics plus the evidence-backed Fortune 100 / ASX 100 / FTSE 100 safe-harbor scoreboard (state.disclose.io/top-100). +- [State of Disclosure / Scoreboard](https://state.disclose.io): The evidence-backed safe-harbor scoreboard for the world's biggest companies (state.disclose.io/top-100). ## The Framework @@ -23,8 +23,8 @@ We maintain open-source databases, policy templates, tools, and educational reso ## Documentation -- [What is disclose.io](https://disclose.io/docs/what-is-disclose/): The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. -- [Vision and Mission](https://disclose.io/docs/vision-and-mission/): Make vulnerability disclosure safe, simple, and standardized for researchers and organizations everywhere. +- [What is disclose.io](https://disclose.io/docs/what-is-disclose/): The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. +- [Vision and Mission](https://disclose.io/docs/vision-and-mission/): Make vulnerability disclosure safe, simple, and standardized for everyone. - [Design Strategy](https://disclose.io/docs/design-strategy/): Design principles for making secure easy and insecure obvious. - [Key Objectives](https://disclose.io/docs/key-objectives/): The key objectives driving the disclose.io project. - [For Finders and Hackers](https://disclose.io/docs/for-finders-and-hackers/): How disclose.io helps security researchers and finders. From 77679554f7df95d9289f38c1093598b5ac193473 Mon Sep 17 00:00:00 2001 From: yesnet0 <12779999+yesnet0@users.noreply.github.com> Date: Sun, 5 Jul 2026 05:10:12 -0700 Subject: [PATCH 3/4] Rework front-page FAQs, factuality pass, and remove em-dashes site-wide FAQs (front page): - Correct the nonprofit status: disclose.io is incorporated as a Delaware nonprofit; 501(c)(3) is still in progress, so gifts aren't deductible yet (was "in the process of incorporating"). - Fix a garbled founder credit: "National Transport and Information Authority" -> National Telecommunications and Information Administration (NTIA). - Point "keep the list up to date" at directory.disclose.io (the system of record) instead of a mismatched diodb/dioterms link. - Drop the drift-prone "even in 2026" line; tighten every answer. Factuality: - Generalize unverifiable future event dates for Hackers on the Hill. - Retire the dead data.disclose.io survey entry in the project directory. Em-dashes removed across the whole site (house style): content, data, config, layouts, static, and the framework generator (maturity titles + descriptions). Left untouched by design: the canonical legal terms and the externally- attributed good-faith-research practices doc. --- config/_default/hugo.toml | 2 +- config/_default/menus.toml | 14 +++++----- config/_default/params.toml | 2 +- content/_index.md | 6 ++-- content/contact.md | 2 +- content/docs/advocacy-and-activism.md | 32 ++++++++++----------- content/docs/contributors.md | 2 +- content/docs/key-objectives.md | 2 +- content/docs/project-directory.md | 28 +++++++++---------- content/docs/talks-and-videos.md | 14 +++++----- content/docs/vision-and-mission.md | 4 +-- content/docs/what-is-disclose.md | 12 ++++---- content/faqs/how-to-interact.md | 12 ++++---- content/faqs/legal-advice.md | 2 +- content/faqs/not-for-profit.md | 6 ++-- content/faqs/safe-harbor.md | 8 +++--- content/faqs/who-is-this-for.md | 8 +++--- content/framework/_index.md | 2 +- content/framework/maturity/_index.md | 10 +++---- content/framework/practices/_index.md | 6 ++-- content/framework/terms/_index.md | 4 +-- content/platforms.md | 2 +- content/security.md | 2 +- content/tools.md | 18 ++++++------ content/universe.md | 40 +++++++++++++-------------- data/navigation/boxes.yaml | 2 +- data/partners.yaml | 6 ++-- data/superheroes.yaml | 2 +- layouts/_default/baseof.html | 4 +-- layouts/_default/threats.html | 10 +++---- layouts/partials/analytics.html | 12 ++++---- layouts/partials/footer.html | 2 +- layouts/partials/hero.html | 2 +- layouts/partials/newsletter-cta.html | 2 +- layouts/partials/page-tldr.html | 2 +- layouts/partials/superheroes.html | 4 +-- layouts/sitemap.xml | 2 +- scripts/preprocess-framework.js | 36 ++++++++++++++++++++++-- static/images/universe-diagram.svg | 4 +-- static/internal/utm-builder.html | 12 ++++---- static/llms.txt | 4 +-- 41 files changed, 188 insertions(+), 158 deletions(-) diff --git a/config/_default/hugo.toml b/config/_default/hugo.toml index f938ba3..6c042b5 100644 --- a/config/_default/hugo.toml +++ b/config/_default/hugo.toml @@ -20,7 +20,7 @@ pygmentsUseClasses = true endLevel = 4 ordered = false -# Taxonomies (disabled — no content uses tags or categories) +# Taxonomies (disabled: no content uses tags or categories) [taxonomies] # Permalinks diff --git a/config/_default/menus.toml b/config/_default/menus.toml index df027cd..c6a7444 100644 --- a/config/_default/menus.toml +++ b/config/_default/menus.toml @@ -239,7 +239,7 @@ parent = "Community" weight = 20 -# Framework sidebar navigation — three pillars +# Framework sidebar navigation: three pillars [[framework]] name = "Overview" url = "/framework/" @@ -292,37 +292,37 @@ weight = 5 [[framework]] - name = "Level 0 — Not Present" + name = "Level 0: Not Present" url = "/framework/maturity/level-0/" parent = "Maturity (diostatus)" weight = 10 [[framework]] - name = "Level 1 — Contact Only" + name = "Level 1: Contact Only" url = "/framework/maturity/level-1/" parent = "Maturity (diostatus)" weight = 20 [[framework]] - name = "Level 2 — Basic VDP" + name = "Level 2: Basic VDP" url = "/framework/maturity/level-2/" parent = "Maturity (diostatus)" weight = 30 [[framework]] - name = "Level 3 — Partial Safe Harbor" + name = "Level 3: Partial Safe Harbor" url = "/framework/maturity/level-3/" parent = "Maturity (diostatus)" weight = 40 [[framework]] - name = "Level 4 — Full Safe Harbor" + name = "Level 4: Full Safe Harbor" url = "/framework/maturity/level-4/" parent = "Maturity (diostatus)" weight = 50 [[framework]] - name = "Level 5 — Full Safe Harbor + CVD" + name = "Level 5: Full Safe Harbor + CVD" url = "/framework/maturity/level-5/" parent = "Maturity (diostatus)" weight = 60 diff --git a/config/_default/params.toml b/config/_default/params.toml index 44b8cc6..bff1c61 100644 --- a/config/_default/params.toml +++ b/config/_default/params.toml @@ -1,5 +1,5 @@ # Site metadata -description = "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." +description = "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone." author = "disclose.io" # Social/SEO diff --git a/content/_index.md b/content/_index.md index 23f7860..3de3f3e 100644 --- a/content/_index.md +++ b/content/_index.md @@ -1,9 +1,9 @@ --- title: "disclose.io" -description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." +description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone." hero: title: "disclose.io" - subtitle: "The infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone." + subtitle: "The infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone." supporting: "Open source · vendor-neutral · home of the safe-harbor scoreboard." image: "uploads/tug-of-war.png" search: true @@ -19,7 +19,7 @@ faq: subtitle: "Got a quick question? Let's get you a quick answer" partners: title: "Partners and friends" - subtitle: "Organizations that share our mission — folks worth knowing, and ways to engage with them" + subtitle: "Organizations that share our mission, and ways to engage with them" videos: title: "Why does disclose.io exist?" subtitle: "A couple of talks to get you started..." diff --git a/content/contact.md b/content/contact.md index c2005da..69b13d9 100644 --- a/content/contact.md +++ b/content/contact.md @@ -5,4 +5,4 @@ description: "Got questions, suggestions, or want to start a disclose.io project We'd love to hear from you! Reach out to us at [hello@disclose.io](mailto:hello@disclose.io). -You can also say hello over at the [disclose.io Community Discourse](https://community.disclose.io) — contributors to disclose.io as well as many from the finder, builder, CERT, and facilitator communities are there. +You can also say hello over at the [disclose.io Community Discourse](https://community.disclose.io): contributors to disclose.io as well as many from the finder, builder, CERT, and facilitator communities are there. diff --git a/content/docs/advocacy-and-activism.md b/content/docs/advocacy-and-activism.md index 59c6b28..16fb2a5 100644 --- a/content/docs/advocacy-and-activism.md +++ b/content/docs/advocacy-and-activism.md @@ -12,22 +12,22 @@ weight: 120 Following is a collection of letters and statements that disclose.io and/or its members have either co-authored or joined as a signatory, in reverse chronological order: -- [Comments on NIST Cyber AI Profile](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hacking-policy-council-comment-on-nist-cyber-ai-profile) (February 2026) — Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST's Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems. -- [Comments on EU CRA Delegated Act on Delaying Incident Notifications](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hpc-comment-on-eu-cra-delegated-act-on-delaying-dissemination-of-notifications-about-vulnerabilities-and-incidents) (December 2025) — Joint Cybersecurity Coalition and HPC comments urging the European Commission to make the 72-hour timeframe for mitigation measures more flexible. -- [Letter in Support for Reauthorization of the Cybersecurity Information Sharing Act of 2015](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/686c033e68c8113961b742d7_HPC%20Letter%20of%20Support%20for%20CISA%202015.pdf) (July 2025) — HPC letter to Congress urging reauthorization of CISA 2015 before its expiration. -- [Comments on the Development of an AI Action Plan](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/67daf93765b1ddf7ae51346d_Hacking%20Policy%20Council%20-%20White%20House%20AI%20Action%20Plan%20Comments.pdf) (March 2025) — HPC comments to the White House on AI security testing and vulnerability disclosure as part of the national AI Action Plan. -- [Resource on Vulnerability Management under the EU Cyber Resilience Act](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/672a576c4b934de1bc54a95e_HPC%20-%20CRA%20and%20vuln%20management%20resource%20-%20updated%2020241028.pdf) (October 2024) — HPC guidance on vulnerability management obligations under the EU CRA framework. -- [Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA)](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66ba3e8ca62102990d3d1f77_Hacking%20Policy%20Council%20-%20CIRCIA%20Comments%20-%2020240703%20(1).pdf) (July 2024) — HPC comments on how incident reporting requirements interact with security research and vulnerability disclosure. -- [Reply Comments for DMCA Section 1201 Exemption for Generative AI Research](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66310fc53222d7e3da10c1c9_Hacking%20Policy%20Council%20reply%20comments%20on%20the%20Ninth%20Triennial%20Proceeding%20-%2020240319.pdf) (March 2024) — HPC reply comments in the Ninth Triennial Proceeding. The Copyright Office subsequently clarified that prompt injection, jailbreaking, and rate limit bypass do not violate DMCA Section 1201. -- [Joint Letter of Experts on CRA and Vulnerability Disclosure](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure) (October 2023) — Open letter signed by 50+ cybersecurity experts opposing the EU CRA's Article 11 requirement for 24-hour disclosure of actively exploited unpatched vulnerabilities. -- [AI Red Teaming: Recommendations for Legal Clarity and Liability Protections](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/6579fcd1b821fdc1e507a6d0_Hacking-Policy-Council-statement-on-AI-red-teaming-protections-20231212.pdf) (December 2023) — HPC recommendations establishing that AI red teaming needs legal safe harbors similar to those for traditional security research. -- [Position Statement on State Charging Policies for Security Researchers](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/64d3d1e780453a690d637186_HPC%20statement%20on%20state%20charging%20policy%20reform%20-%20August%202023.pdf) (August 2023) — HPC statement addressing the risk that state prosecutors can pursue CFAA-style cases that federal prosecutors would decline, calling for reform of state-level charging policies. -- [Joint Letter to OFAC re Vulnerability Guidance](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-to-ofac-re-vulnerability-guidance) (May 2023) — HPC letter requesting OFAC clarify that receiving vulnerability disclosures from individuals in sanctioned countries is not restricted under sanctions. -- [Security Researcher Statement on the DMCA](https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement) (June 2021) — EFF statement on DMCA exemptions for good-faith security research, co-signed by disclose.io and others. -- [Calling for Cybersecurity in Critical Infrastructure Modernization](https://www.rapid7.com/blog/post/2021/05/21/calling-for-cybersecurity-in-critical-infrastructure-modernization/) (May 2021) — Coalition letter urging Congress and the Biden Administration to integrate cybersecurity requirements into infrastructure modernization legislation. -- [An Open Letter on Election Security](https://www.eff.org/deeplinks/2020/11/elections-are-partisan-affairs-election-security-isnt) (November 2020) — Open letter alongside the EFF, Bugcrowd, the Centre for Democracy and Technology, Verified Voting, and others. -- [Open Letter to Columbus City Attorney Zach Klein](/uploads/open_letter_columbus_attorney_zach_klein.pdf) — Regarding the prosecution of a security researcher who reported vulnerabilities in city election systems. -- [Response to Voatz](/voatz-response-letter) — Addressing Voatz's claims about security researchers who identified vulnerabilities in their mobile voting application. +- [Comments on NIST Cyber AI Profile](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hacking-policy-council-comment-on-nist-cyber-ai-profile) (February 2026): Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST's Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems. +- [Comments on EU CRA Delegated Act on Delaying Incident Notifications](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hpc-comment-on-eu-cra-delegated-act-on-delaying-dissemination-of-notifications-about-vulnerabilities-and-incidents) (December 2025): Joint Cybersecurity Coalition and HPC comments urging the European Commission to make the 72-hour timeframe for mitigation measures more flexible. +- [Letter in Support for Reauthorization of the Cybersecurity Information Sharing Act of 2015](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/686c033e68c8113961b742d7_HPC%20Letter%20of%20Support%20for%20CISA%202015.pdf) (July 2025): HPC letter to Congress urging reauthorization of CISA 2015 before its expiration. +- [Comments on the Development of an AI Action Plan](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/67daf93765b1ddf7ae51346d_Hacking%20Policy%20Council%20-%20White%20House%20AI%20Action%20Plan%20Comments.pdf) (March 2025): HPC comments to the White House on AI security testing and vulnerability disclosure as part of the national AI Action Plan. +- [Resource on Vulnerability Management under the EU Cyber Resilience Act](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/672a576c4b934de1bc54a95e_HPC%20-%20CRA%20and%20vuln%20management%20resource%20-%20updated%2020241028.pdf) (October 2024): HPC guidance on vulnerability management obligations under the EU CRA framework. +- [Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA)](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66ba3e8ca62102990d3d1f77_Hacking%20Policy%20Council%20-%20CIRCIA%20Comments%20-%2020240703%20(1).pdf) (July 2024): HPC comments on how incident reporting requirements interact with security research and vulnerability disclosure. +- [Reply Comments for DMCA Section 1201 Exemption for Generative AI Research](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66310fc53222d7e3da10c1c9_Hacking%20Policy%20Council%20reply%20comments%20on%20the%20Ninth%20Triennial%20Proceeding%20-%2020240319.pdf) (March 2024): HPC reply comments in the Ninth Triennial Proceeding. The Copyright Office subsequently clarified that prompt injection, jailbreaking, and rate limit bypass do not violate DMCA Section 1201. +- [Joint Letter of Experts on CRA and Vulnerability Disclosure](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure) (October 2023): Open letter signed by 50+ cybersecurity experts opposing the EU CRA's Article 11 requirement for 24-hour disclosure of actively exploited unpatched vulnerabilities. +- [AI Red Teaming: Recommendations for Legal Clarity and Liability Protections](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/6579fcd1b821fdc1e507a6d0_Hacking-Policy-Council-statement-on-AI-red-teaming-protections-20231212.pdf) (December 2023): HPC recommendations establishing that AI red teaming needs legal safe harbors similar to those for traditional security research. +- [Position Statement on State Charging Policies for Security Researchers](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/64d3d1e780453a690d637186_HPC%20statement%20on%20state%20charging%20policy%20reform%20-%20August%202023.pdf) (August 2023): HPC statement addressing the risk that state prosecutors can pursue CFAA-style cases that federal prosecutors would decline, calling for reform of state-level charging policies. +- [Joint Letter to OFAC re Vulnerability Guidance](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-to-ofac-re-vulnerability-guidance) (May 2023): HPC letter requesting OFAC clarify that receiving vulnerability disclosures from individuals in sanctioned countries is not restricted under sanctions. +- [Security Researcher Statement on the DMCA](https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement) (June 2021): EFF statement on DMCA exemptions for good-faith security research, co-signed by disclose.io and others. +- [Calling for Cybersecurity in Critical Infrastructure Modernization](https://www.rapid7.com/blog/post/2021/05/21/calling-for-cybersecurity-in-critical-infrastructure-modernization/) (May 2021): Coalition letter urging Congress and the Biden Administration to integrate cybersecurity requirements into infrastructure modernization legislation. +- [An Open Letter on Election Security](https://www.eff.org/deeplinks/2020/11/elections-are-partisan-affairs-election-security-isnt) (November 2020): Open letter alongside the EFF, Bugcrowd, the Centre for Democracy and Technology, Verified Voting, and others. +- [Open Letter to Columbus City Attorney Zach Klein](/uploads/open_letter_columbus_attorney_zach_klein.pdf): Regarding the prosecution of a security researcher who reported vulnerabilities in city election systems. +- [Response to Voatz](/voatz-response-letter): Addressing Voatz's claims about security researchers who identified vulnerabilities in their mobile voting application. ## Hacking Policy Council diff --git a/content/docs/contributors.md b/content/docs/contributors.md index 9104bc7..03a3f71 100644 --- a/content/docs/contributors.md +++ b/content/docs/contributors.md @@ -1,7 +1,7 @@ --- title: "Contributors" slug: "open-source-contributors" -description: "The people behind disclose.io — legends, maintainers, and open-source contributors keeping the Internet safer." +description: "The people behind disclose.io, legends, maintainers, and open-source contributors keeping the Internet safer." weight: 80 --- diff --git a/content/docs/key-objectives.md b/content/docs/key-objectives.md index 45f0503..e8dda08 100644 --- a/content/docs/key-objectives.md +++ b/content/docs/key-objectives.md @@ -8,7 +8,7 @@ weight: 40 - **Create a vibrant community** that blends [security researchers, policymakers, lawyers, and technology vendors](https://community.disclose.io) to foster collaboration, and creates high-quality tools and data that support a virtuous cycle. - Help organizations **promote adoption and excellence** to their customers, industry peers, and the security community. -- Maintain a [maturity model](/framework/maturity/) and drive a **race to the top** — published as the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/). +- Maintain a [maturity model](/framework/maturity/) and drive a **race to the top**, published as the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/). - **Be the [open system of record](https://directory.disclose.io)** for every program's disclosure status, and let anyone [look one up](https://lookup.disclose.io) or update it. - **Drive the state of the art** in thinking around legal risks faced for security researchers and the steps organizations can take to reduce them. - [Make tools and techniques](https://github.com/disclose) **freely available** to technology vendors to ease the socialization and adoption of VDP. diff --git a/content/docs/project-directory.md b/content/docs/project-directory.md index 2387a42..a591092 100644 --- a/content/docs/project-directory.md +++ b/content/docs/project-directory.md @@ -1,6 +1,6 @@ --- title: "Project Directory" -description: "The full ecosystem of disclose.io projects — standards, tools, data, and community resources for vulnerability disclosure." +description: "The full ecosystem of disclose.io projects, standards, tools, data, and community resources for vulnerability disclosure." weight: 90 --- @@ -12,19 +12,19 @@ Everything below is free, open-source, and community-maintained. The policy and legal building blocks that underpin everything else. -### dioterms — VDP Policy Templates +### dioterms: VDP Policy Templates The core set of boilerplate vulnerability disclosure policy templates. Available in multiple languages and adapted for specific geographies, verticals, and regulatory frameworks. These templates are what the Policymaker tool generates from. [Repository](https://github.com/disclose/dioterms) -### dnssecuritytxt — DNS Security TXT +### dnssecuritytxt: DNS Security TXT -A proposed standard for publishing security contact and vulnerability disclosure information via DNS TXT records — extending the security.txt concept to organizations and assets where web-based paths aren't available. +A proposed standard for publishing security contact and vulnerability disclosure information via DNS TXT records, extending the security.txt concept to organizations and assets where web-based paths aren't available. [Repository](https://github.com/disclose/dnssecuritytxt) -### diostatus — The Maturity Model and Seal +### diostatus: The Maturity Model and Seal A five-level maturity model for vulnerability disclosure programs, from "no contact" to "full safe harbor with coordinated disclosure." The disclose.io seal provides a recognizable mark indicating an organization's level of best-practice adoption. See the [full maturity model documentation](/docs/diostatus/). @@ -38,17 +38,17 @@ Free tools that put the standards into practice. ### Policymaker -A multi-lingual, guided VDP policy generator. Answer a few questions about your organization and get a ready-to-publish vulnerability disclosure policy, safe harbor language, and security.txt — all based on the dioterms templates. +A multi-lingual, guided VDP policy generator. Answer a few questions about your organization and get a ready-to-publish vulnerability disclosure policy, safe harbor language, and security.txt, all based on the dioterms templates. [policymaker.disclose.io](https://policymaker.disclose.io) | [Repository](https://github.com/disclose/policymaker) ### lookup.disclose.io -A security attribution and contact lookup tool. Given a domain, IP, package name, or other identifier, find the right place to report a vulnerability — pulling from security.txt, DNS, WHOIS, bug bounty platforms, and the disclose.io database. +A security attribution and contact lookup tool. Given a domain, IP, package name, or other identifier, find the right place to report a vulnerability, pulling from security.txt, DNS, WHOIS, bug bounty platforms, and the disclose.io database. [lookup.disclose.io](https://lookup.disclose.io) -### diosts — Security.txt Scanner +### diosts: Security.txt Scanner A Go-based scanner that validates security.txt files at internet scale. Powers the data behind the disclose.io VDP adoption surveys. @@ -60,19 +60,17 @@ A Go-based scanner that validates security.txt files at internet scale. Powers t Tracking adoption, documenting threats, and building the evidence base for policy work. -### diodb — The VDP/BBP Database +### diodb: The VDP/BBP Database -The definitive community-powered database of every known vulnerability disclosure program and public bug bounty program, along with their disclose.io maturity status. The most active project in the ecosystem — contributions welcome via pull request. +The definitive community-powered database of every known vulnerability disclosure program and public bug bounty program, along with their disclose.io maturity status. The most active project in the ecosystem, contributions welcome via pull request. [Repository](https://github.com/disclose/diodb) -### data.disclose.io — VDP Adoption Survey +### Data survey: retired -Internet-wide survey data on vulnerability disclosure program adoption, generated from diosts scans and community contributions. Used by researchers, policymakers, and organizations for tracking industry progress. +The legacy `data.disclose.io` VDP adoption survey surface has been retired. Use the current disclose.io directory, state-of-disclosure snapshot, and ranked-list disclosure audits for active adoption/maturity data. -data.disclose.io *(currently offline)* - -### research-threats — Legal Threats Archive +### research-threats: Legal Threats Archive A structured archive of legal threats, cease-and-desist letters, and prosecutions targeting good-faith security researchers. Documents the chilling effect and provides evidence for policy advocacy. diff --git a/content/docs/talks-and-videos.md b/content/docs/talks-and-videos.md index fa79ce8..ffb61a1 100644 --- a/content/docs/talks-and-videos.md +++ b/content/docs/talks-and-videos.md @@ -15,15 +15,15 @@ weight: 140 ## More Videos -- [Hacking Policy and Policy Hacking](https://www.youtube.com/watch?v=Ms1CPV6dnU8) — Amit Elazari, BSidesSF 2023 +- [Hacking Policy and Policy Hacking](https://www.youtube.com/watch?v=Ms1CPV6dnU8): Amit Elazari, BSidesSF 2023 - [The State of Vulnerability Disclosure](https://www.youtube.com/watch?v=ARWG35whYLs) -- [The State of Bug Bounties & AMA](https://www.youtube.com/watch?v=sOSoG3ysbH8) — Casey Ellis, Bugcrowd LevelUp 0x01, 2017 -- [Leonard Bailey + Casey Ellis + Marten Mickos](https://www.youtube.com/watch?v=IwI-m0dBrUA) — Cybertalks 2017 +- [The State of Bug Bounties & AMA](https://www.youtube.com/watch?v=sOSoG3ysbH8): Casey Ellis, Bugcrowd LevelUp 0x01, 2017 +- [Leonard Bailey + Casey Ellis + Marten Mickos](https://www.youtube.com/watch?v=IwI-m0dBrUA): Cybertalks 2017 - [Bug Bounty Legal Discussion](https://www.youtube.com/watch?v=o-X_Kw-3Kc4) -- [How bug bounties can impact critical infrastructure](https://www.youtube.com/watch?v=vv1PlZdvkdM) — Casey Ellis, Passcode Security of Things Forum, 2016 +- [How bug bounties can impact critical infrastructure](https://www.youtube.com/watch?v=vv1PlZdvkdM): Casey Ellis, Passcode Security of Things Forum, 2016 - [Vulnerability Disclosure Best Practices](https://www.youtube.com/watch?v=fisyZKn71PA) -- [How building a better hacker accidentally built a better defender](https://www.youtube.com/watch?v=jBtvJy-uUYs) — Casey Ellis, OWASP AppSec California, 2015 -- [The Art & Value of Bug Bounties](https://www.youtube.com/watch?v=WhRmzxgtsXQ) — Casey Ellis & Keren Elezari, 2015 +- [How building a better hacker accidentally built a better defender](https://www.youtube.com/watch?v=jBtvJy-uUYs): Casey Ellis, OWASP AppSec California, 2015 +- [The Art & Value of Bug Bounties](https://www.youtube.com/watch?v=WhRmzxgtsXQ): Casey Ellis & Keren Elezari, 2015 - [Safe Harbor for Security Research](https://www.youtube.com/watch?v=gDZoHorF42E) - [Policy Panel Discussion](https://www.youtube.com/watch?v=Qo98yG1YIZU) -- [Presenting Bugcrowd (Most Innovative Company)](https://www.youtube.com/watch?v=OBeEUmFULUM) — Casey Ellis, LAUNCH Silicon Valley, 2013 +- [Presenting Bugcrowd (Most Innovative Company)](https://www.youtube.com/watch?v=OBeEUmFULUM): Casey Ellis, LAUNCH Silicon Valley, 2013 diff --git a/content/docs/vision-and-mission.md b/content/docs/vision-and-mission.md index 74fa06b..30f3cc0 100644 --- a/content/docs/vision-and-mission.md +++ b/content/docs/vision-and-mission.md @@ -6,12 +6,12 @@ weight: 20 ## Mission -> Make vulnerability disclosure **safe, simple, and standardized** for everyone — the open, vendor-neutral infrastructure that powers disclosure and security reporting. +> Make vulnerability disclosure **safe, simple, and standardized** for everyone. We're the open, vendor-neutral infrastructure that powers disclosure and security reporting. ## Vision > Every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping. -Our shorthand: a healthy **Internet Immune System** — "Neighborhood Watch for the Internet." +Our shorthand: a healthy **Internet Immune System**, or "Neighborhood Watch for the Internet." ![disclose.io timeline](/uploads/diotimeline.png) diff --git a/content/docs/what-is-disclose.md b/content/docs/what-is-disclose.md index e614d42..26a25ab 100644 --- a/content/docs/what-is-disclose.md +++ b/content/docs/what-is-disclose.md @@ -11,7 +11,7 @@ disclose.io is the **open, vendor-neutral infrastructure that powers vulnerabili ![tug-of-war 2021](/uploads/tug-of-war.jpg) -We didn't join this movement — we started it. disclose.io is the vendor-neutral home for safe harbor, and we publish the free, lawyer-reviewed policy language (**dioterms**, CC0) the ecosystem runs on. +We didn't join this movement. We started it. disclose.io is the vendor-neutral home for safe harbor, and we publish the free, lawyer-reviewed policy language (**dioterms**, CC0) the ecosystem runs on. ![tug-of-war 2026](/uploads/becausemath-2026.png) @@ -19,11 +19,11 @@ We didn't join this movement — we started it. disclose.io is the vendor-neutra Open, vendor-neutral properties, each answering a real question: -- **Standards** — [dioterms](https://github.com/disclose/dioterms) (safe-harbor language) and [dnssecuritytxt](https://dnssecuritytxt.org) (contacts at the DNS layer). -- **Tools** — [policymaker](https://policymaker.disclose.io) (draft a policy), [lookup](https://lookup.disclose.io) (find who to report to), and [vault](https://vault.disclose.io) (coordinate disclosure). -- **Data** — [directory.disclose.io](https://directory.disclose.io), the open system of record for every program. -- **Measurement** — [state.disclose.io](https://state.disclose.io), the safe-harbor scoreboard for the world's biggest companies. -- **Record & commons** — [/threats](/threats), [community.disclose.io](https://community.disclose.io), and the weekly [PolicyPulse](https://blog.disclose.io). +- **Standards:** [dioterms](https://github.com/disclose/dioterms) (safe-harbor language) and [dnssecuritytxt](https://dnssecuritytxt.org) (contacts at the DNS layer). +- **Tools:** [policymaker](https://policymaker.disclose.io) (draft a policy), [lookup](https://lookup.disclose.io) (find who to report to), and [vault](https://vault.disclose.io) (coordinate disclosure). +- **Data:** [directory.disclose.io](https://directory.disclose.io), the open system of record for every program. +- **Measurement:** [state.disclose.io](https://state.disclose.io), the safe-harbor scoreboard for the world's biggest companies. +- **Record and commons:** [/threats](/threats), [community.disclose.io](https://community.disclose.io), and the weekly [PolicyPulse](https://blog.disclose.io). ## Powered by experts diff --git a/content/faqs/how-to-interact.md b/content/faqs/how-to-interact.md index f7764db..54216ec 100644 --- a/content/faqs/how-to-interact.md +++ b/content/faqs/how-to-interact.md @@ -5,9 +5,9 @@ weight: 30 Glad you asked! -- Start a vulnerability disclosure program (VDP), or upgrade your VDP or bug bounty program to include best practices like Safe Harbor and proactive disclosure timelines -- Join the community, contribute or assist with vulnerability research, and help finders connect with security teams to alert them of identified risks -- Help us keep "The Big List" of known VDPs and bug bounty programs up-to-date by submitting a PR to the dioterms repo -- Contribute to the dioterms open-source vulnerability disclosure policy by raising an issue on the repo… or add a language or regional legal translation by submitting a PR -- Volunteer as a core contributor/maintainer on one of our existing projects -- Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized for everyone. +- Start or upgrade a vulnerability disclosure program (VDP) with best practices like Safe Harbor and clear disclosure timelines. +- Join the community and help finders connect with the security teams who need to hear from them. +- Help keep the directory of VDPs and bug bounty programs accurate and up to date. +- Improve the dioterms disclosure policy by raising an issue or adding a translation via a pull request. +- Volunteer as a maintainer on one of our projects. +- Suggest a new project. diff --git a/content/faqs/legal-advice.md b/content/faqs/legal-advice.md index db5dcbb..8d95406 100644 --- a/content/faqs/legal-advice.md +++ b/content/faqs/legal-advice.md @@ -3,4 +3,4 @@ title: "Is this legal advice?" weight: 60 --- -While we've engaged the legal opinion of many, this does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization. +No. We've drawn on many legal opinions, but this isn't legal advice. Consult your own counsel on whether the disclose.io terms fit your organization. diff --git a/content/faqs/not-for-profit.md b/content/faqs/not-for-profit.md index 2a33053..a26cff4 100644 --- a/content/faqs/not-for-profit.md +++ b/content/faqs/not-for-profit.md @@ -1,10 +1,10 @@ --- -title: "Is disclose.io a 501.c3 (Not For Profit)?" +title: "Is disclose.io a 501(c)(3) nonprofit?" weight: 50 --- -disclose.io was formed as a merge of separate standardization projects initiated by RainForest Puppy, Bugcrowd, Cipherlaw, Dropbox, Dr. Amit Elazari, UC Berkeley, the National Transport and Information Authority, the US Department of Justice, and others. +disclose.io grew out of a merge of earlier standardization efforts by RainForest Puppy, Bugcrowd, CipherLaw, Dropbox, Dr. Amit Elazari, UC Berkeley, the National Telecommunications and Information Administration (NTIA), the US Department of Justice, and others. ![disclose.io timeline](/uploads/dio-timeline.png) -We're currently in the process of incorporating and pursuing status as a 501.c3 Not For Profit. +disclose.io is incorporated as a Delaware nonprofit corporation. We're completing the steps toward federal 501(c)(3) status, so contributions aren't tax-deductible yet. diff --git a/content/faqs/safe-harbor.md b/content/faqs/safe-harbor.md index 4d148a8..34c18dc 100644 --- a/content/faqs/safe-harbor.md +++ b/content/faqs/safe-harbor.md @@ -3,10 +3,10 @@ title: "What is Safe Harbor?" weight: 20 --- -Most of the existing anti-hacking laws pre-date the notion of hacking for good or widespread knowledge of the "digital locksmiths" who are increasingly influencing modern-day digital safety. +Most anti-hacking laws pre-date the idea of hacking for good, or the "digital locksmiths" who increasingly shape modern digital safety. -These anti-hacking laws have been **used by organizations to suppress good-faith security research** in the pursuit of limiting negative publicity for the vendor, which nets out to a "chilling effect" on the input from the people the Internet needs to hear from most. **If hackers are the Internet's Immune System, then right now, even in 2026, the Internet still has an auto-immune problem.** +Those laws get **used to suppress good-faith research** and limit bad publicity for vendors. The result is a "chilling effect" that silences the very people the Internet most needs to hear from. If hackers are the Internet's immune system, the Internet still has an auto-immune problem. -"Safe Harbor" is the term used to describe clauses added to public policies which allow folks acting in good faith, as defined clearly and proactively by the recipient, to **provide security feedback without fear of legal repercussions.** +**Safe Harbor** is language added to a policy that lets people acting in good faith, as the recipient defines it, **report security issues without fear of legal repercussions.** -disclose.io intends to help define, spread, and reward the adoption of vulnerability disclosure programs with best practices like Safe Harbor. +disclose.io helps define, spread, and reward Safe Harbor and other disclosure best practices. diff --git a/content/faqs/who-is-this-for.md b/content/faqs/who-is-this-for.md index 0cc7617..7400b08 100644 --- a/content/faqs/who-is-this-for.md +++ b/content/faqs/who-is-this-for.md @@ -3,7 +3,7 @@ title: "Who is disclose.io for?" weight: 10 --- -- **Hackers and Finders:** You want to help, and you're not sure that you're welcome - We want to help you make safe decisions and connect you to the right people to take action on your input -- **Legal teams:** Vulnerability reporting and research is tricky, and inviting the help of hackers is still legally novel territory - We want to make it simple for you to make consensus-backed recommendations -- **Organizations:** Vulnerabilities are inherent to innovation, but it still takes guts to say so - We want to help you say so loudly and proudly -- **Security Researchers:** You've been waiting for the red carpet - We'll help you find it +- **Hackers and finders:** You want to help but aren't sure you're welcome. We help you make safe decisions and reach the right people. +- **Legal teams:** Inviting hackers is still novel territory. We make it simple to give consensus-backed advice. +- **Organizations:** Vulnerabilities come with innovation. We help you say so, loudly and proudly. +- **Security researchers:** You've been waiting for the red carpet. We'll help you find it. diff --git a/content/framework/_index.md b/content/framework/_index.md index f9b5fb4..ca38d75 100644 --- a/content/framework/_index.md +++ b/content/framework/_index.md @@ -6,7 +6,7 @@ weight: 1 tldr: "The disclose.io Framework is the open-source, public-domain reference for running a vulnerability disclosure program (VDP). It provides canonical legal terms organizations can drop into their own policies, a shared vocabulary security researchers use when reading or critiquing programs, and the diostatus six-level maturity model for measuring program quality over time. All Framework content is licensed CC0 1.0 and is editable at github.com/disclose/dioterms." --- -The disclose.io Framework is our open-source, public-domain reference for running a vulnerability disclosure program — starting-point boilerplate for organisations, shared vocabulary for security researchers reading or critiquing programs, and a way to measure maturity over time. It's all open for review and contribution, so if you spot something off, you can [open a PR at github.com/disclose/dioterms](https://github.com/disclose/dioterms) (licensed [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/)). +The disclose.io Framework is our open-source, public-domain reference for running a vulnerability disclosure program, starting-point boilerplate for organisations, shared vocabulary for security researchers reading or critiquing programs, and a way to measure maturity over time. It's all open for review and contribution, so if you spot something off, you can [open a PR at github.com/disclose/dioterms](https://github.com/disclose/dioterms) (licensed [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/)). ## How to use diff --git a/content/framework/maturity/_index.md b/content/framework/maturity/_index.md index 2bdfd17..7c7cdcc 100644 --- a/content/framework/maturity/_index.md +++ b/content/framework/maturity/_index.md @@ -1,6 +1,6 @@ --- -title: "Framework — Maturity (diostatus)" -description: "The disclose.io Maturity Model — a six-level self-assessment for vulnerability disclosure program readiness." +title: "Framework: Maturity (diostatus)" +description: "The disclose.io Maturity Model, a six-level self-assessment for vulnerability disclosure program readiness." type: framework weight: 30 aliases: @@ -10,7 +10,7 @@ aliases: **diostatus** is a six-level self-assessment describing how prepared an organisation is to receive and handle external vulnerability reports. -![diostatus Maturity Model — the progression from Level 0 to Level 5](/uploads/discloseio-maturity-climb-v8.jpg) +![diostatus Maturity Model, the progression from Level 0 to Level 5](/uploads/discloseio-maturity-climb-v8.jpg) ## The progression in one line @@ -25,8 +25,8 @@ Each level builds on the previous, creating a clear progression path for organis | [0](/framework/maturity/level-0/) | Not Present | No contact, no policy | None | | [1](/framework/maturity/level-1/) | Contact Only | `security.txt` / intake method exists | None (but reachable) | | [2](/framework/maturity/level-2/) | Basic VDP | Public policy + channel | None (but documented) | -| [3](/framework/maturity/level-3/) | Partial Safe Harbor | Won't pursue legal action | Partial — report safely | -| [4](/framework/maturity/level-4/) | Full Safe Harbor | Explicitly authorises testing + law exemptions | Full — test safely | +| [3](/framework/maturity/level-3/) | Partial Safe Harbor | Won't pursue legal action | Partial, report safely | +| [4](/framework/maturity/level-4/) | Full Safe Harbor | Explicitly authorises testing + law exemptions | Full, test safely | | [5](/framework/maturity/level-5/) | Full Safe Harbor + CVD | Level 4 + proactive disclosure timeline | Full + accountability | See the individual level pages for plain-English definitions of each stage and how to progress between them. diff --git a/content/framework/practices/_index.md b/content/framework/practices/_index.md index ce801a4..e100e24 100644 --- a/content/framework/practices/_index.md +++ b/content/framework/practices/_index.md @@ -1,13 +1,13 @@ --- -title: "Framework — Practices" -description: "Operational conduct for good-faith security research — how researchers, lawmakers, and program operators distinguish legitimate research from malicious activity." +title: "Framework: Practices" +description: "Operational conduct for good-faith security research, how researchers, lawmakers, and program operators distinguish legitimate research from malicious activity." type: framework weight: 20 --- The **Practices** pillar of the disclose.io framework describes *how* good-faith security research is conducted. It complements the **Terms** pillar (legal boilerplate) and the **Maturity** pillar (program scoring) with operational guidance that maps the conduct expected of researchers and the conduct programs can rely on. -These are reference documents — most useful to: +These are reference documents, most useful to: - **Researchers**, as a reference for the conduct expected of good-faith activity. - **Lawmakers and law enforcement**, as a clearer line between legitimate research and malicious activity. diff --git a/content/framework/terms/_index.md b/content/framework/terms/_index.md index 04976dc..3e42604 100644 --- a/content/framework/terms/_index.md +++ b/content/framework/terms/_index.md @@ -1,10 +1,10 @@ --- -title: "Framework — Terms" +title: "Framework: Terms" description: "Canonical public-domain vulnerability disclosure policy boilerplate: VDP, BBP, and safe harbor." type: framework weight: 10 --- -Legal policy boilerplate — suitable for direct adoption by any organisation running a vulnerability disclosure program or bug bounty program. +Legal policy boilerplate, suitable for direct adoption by any organisation running a vulnerability disclosure program or bug bounty program. Placeholders like `[Organization Name]` appear styled inline. Fill these in manually, or generate a personalised copy via [policymaker.disclose.io](https://policymaker.disclose.io). diff --git a/content/platforms.md b/content/platforms.md index 8bbb218..554cbb7 100644 --- a/content/platforms.md +++ b/content/platforms.md @@ -2,5 +2,5 @@ title: "Bug Bounty Platforms" description: "A community-powered collection of all known bug bounty platforms, vulnerability disclosure platforms, and crowdsourced security platforms." layout: "platforms" -tldr: "disclose.io maintains a community-curated list of every known bug bounty, vulnerability disclosure, and crowdsourced security platform. Each entry includes the platform's name, primary URL, geographic focus, and disclosure model. The canonical disclose.io database — including both platforms and individual programs — lives at directory.disclose.io." +tldr: "disclose.io maintains a community-curated list of every known bug bounty, vulnerability disclosure, and crowdsourced security platform. Each entry includes the platform's name, primary URL, geographic focus, and disclosure model. The canonical disclose.io database, including both platforms and individual programs, lives at directory.disclose.io." --- diff --git a/content/security.md b/content/security.md index 1497ebf..9f9f6b7 100644 --- a/content/security.md +++ b/content/security.md @@ -1,6 +1,6 @@ --- title: "Security" -description: "disclose.io's own vulnerability disclosure policy — report issues to security@disclose.io." +description: "disclose.io's own vulnerability disclosure policy, report issues to security@disclose.io." source_repo: "https://github.com/disclose/dioterms" license: "CC0-1.0" --- diff --git a/content/tools.md b/content/tools.md index 4f47913..6e56635 100644 --- a/content/tools.md +++ b/content/tools.md @@ -1,35 +1,35 @@ --- title: "Tools" -description: "Free, open-source tools from the disclose.io project — for organizations launching a VDP, for researchers finding the right contact, and for everyone working to make vulnerability disclosure simpler." +description: "Free, open-source tools from the disclose.io project, for organizations launching a VDP, for researchers finding the right contact, and for everyone working to make vulnerability disclosure simpler." tldr: "disclose.io maintains four free, open-source tools that cover the full disclosure lifecycle: Policymaker generates VDP policy text from canonical templates, Directory and Lookup help anyone find the right disclosure contact for any asset, and Vault cryptographically enforces disclosure deadlines so a committed timeline cannot be reversed." --- -The disclose.io project ships four tools — each free, each open-source, each addressing a specific friction in the vulnerability disclosure pipeline. +The disclose.io project ships four tools, each free, each open-source, each addressing a specific friction in the vulnerability disclosure pipeline. ## Policymaker -**[policymaker.disclose.io](https://policymaker.disclose.io)** — Interactive policy generator +**[policymaker.disclose.io](https://policymaker.disclose.io)**: Interactive policy generator Generates a customized vulnerability disclosure policy (VDP) for any organization using the canonical legal terms from the [disclose.io Framework](/framework/). Pick a maturity level, fill in the organization name and contact channel, and walk away with safe-harbor language, a security.txt file, and a complete disclose.io-compliant policy. ## Directory -**[directory.disclose.io](https://directory.disclose.io)** — The open VDP and bug bounty programs database +**[directory.disclose.io](https://directory.disclose.io)**: The open VDP and bug bounty programs database Browse every known vulnerability disclosure and bug bounty program. Each entry includes the organization, in-scope assets, policy URL, and any safe-harbor language. Open-source, community-curated, and the data source behind the [Lookup](#lookup) attribution tool. ## Lookup -**[lookup.disclose.io](https://lookup.disclose.io)** — Security contact attribution +**[lookup.disclose.io](https://lookup.disclose.io)**: Security contact attribution -Turn any input — domain, IP, URL, email, ASN, npm package, mobile app, hardware product, free-text company name — into the right disclosure contact. The tool chains 11 attribution strategies (security.txt, the Directory, WHOIS, DNS SOA, common security@ aliases, bug bounty platform records, and more) and returns the highest-confidence contact with provenance. Available as a web UI, HTTP API, and MCP server. +Turn any input, domain, IP, URL, email, ASN, npm package, mobile app, hardware product, free-text company name, into the right disclosure contact. The tool chains 11 attribution strategies (security.txt, the Directory, WHOIS, DNS SOA, common security@ aliases, bug bounty platform records, and more) and returns the highest-confidence contact with provenance. Available as a web UI, HTTP API, and MCP server. ## Vault -**[vault.disclose.io](https://vault.disclose.io)** — Cryptographically enforced disclosure deadlines +**[vault.disclose.io](https://vault.disclose.io)**: Cryptographically enforced disclosure deadlines -A dead-man's-switch for vulnerability disclosure. A researcher commits a disclosure with a future publication date; the disclosure is encrypted with a timelock that cannot be bypassed, even by the operators of the vault. On expiry, the disclosure becomes publicly readable — regardless of what happens to anyone involved. +A dead-man's-switch for vulnerability disclosure. A researcher commits a disclosure with a future publication date; the disclosure is encrypted with a timelock that cannot be bypassed, even by the operators of the vault. On expiry, the disclosure becomes publicly readable, regardless of what happens to anyone involved. ## Browser extension **[Chrome extension](https://chromewebstore.google.com/detail/discloseio/efelnoglhabpipbgneeoehjbcmiclpda)** *(also referenced as the Disclose extension)* -Surfaces the disclose.io directory's VDP posture for any site you visit — see at a glance whether the organization has a published VDP, what their safe-harbor language is, and where to report a vulnerability. +Surfaces the disclose.io directory's VDP posture for any site you visit, see at a glance whether the organization has a published VDP, what their safe-harbor language is, and where to report a vulnerability. ## Browse the source diff --git a/content/universe.md b/content/universe.md index bebfe5a..91f6f00 100644 --- a/content/universe.md +++ b/content/universe.md @@ -1,9 +1,9 @@ --- title: "The disclose.io Universe" -description: "The open standard for safe harbor vulnerability disclosure — and the ecosystem that makes it real." +description: "The open standard for safe harbor vulnerability disclosure, and the ecosystem that makes it real." --- -The disclose.io project is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms — a vendor-neutral, practitioner-first playbook for coordinated vulnerability disclosure. It's the open infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. +The disclose.io project is the open-source layer between raw standards (ISO 29147, CISA CVD) and commercial platforms, a vendor-neutral, practitioner-first playbook for coordinated vulnerability disclosure. It's the open infrastructure that powers vulnerability disclosure and security reporting, Internet-wide. Below is the full ecosystem. Every component answers a real question someone asks when they hit the VDP wall. @@ -14,36 +14,36 @@ Below is the full ecosystem. Every component answers a real question someone ask ## Core -- [disclose.io](/) — the framework, docs, and project home -- [directory.disclose.io](https://directory.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=directory) — the open **system of record** for every known VDP and bug bounty program -- [state.disclose.io](https://state.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=state) — maturity metrics + the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/) -- [disclose.io/programs](/programs) — curated programs with safe harbor language -- [disclose.io/platforms](/platforms) — bug bounty platforms supporting safe harbor -- [disclose.io/threats](/threats) — the public archive of legal threats to security researchers -- [disclose.io/history](/history) — 20+ years of coordinated disclosure +- [disclose.io](/): the framework, docs, and project home +- [directory.disclose.io](https://directory.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=directory): the open **system of record** for every known VDP and bug bounty program +- [state.disclose.io](https://state.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=state): maturity metrics + the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/) +- [disclose.io/programs](/programs): curated programs with safe harbor language +- [disclose.io/platforms](/platforms): bug bounty platforms supporting safe harbor +- [disclose.io/threats](/threats): the public archive of legal threats to security researchers +- [disclose.io/history](/history): 20+ years of coordinated disclosure ## Tools -- [lookup.disclose.io](https://lookup.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=lookup) — vendor → security contact, program, and safe harbor status -- [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker) — guided VDP policy, security.txt, and DNS Security TXT generator -- [vault.disclose.io](https://vault.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=vault) — cryptographically-enforced coordinated disclosure with deadline enforcement -- [dnssecuritytxt.org](https://dnssecuritytxt.org?utm_source=universe&utm_medium=onepager&utm_campaign=dnssecuritytxt) — DNS-based security contact discovery +- [lookup.disclose.io](https://lookup.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=lookup): vendor → security contact, program, and safe harbor status +- [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker): guided VDP policy, security.txt, and DNS Security TXT generator +- [vault.disclose.io](https://vault.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=vault): cryptographically-enforced coordinated disclosure with deadline enforcement +- [dnssecuritytxt.org](https://dnssecuritytxt.org?utm_source=universe&utm_medium=onepager&utm_campaign=dnssecuritytxt): DNS-based security contact discovery ## Community -- [community.disclose.io](https://community.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=community) — the forum -- [blog.disclose.io](https://blog.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=blog) — PolicyPulse and commentary ("Running With Scissors") -- [dates.disclose.io](https://dates.disclose.io/upcoming-dates.ics) — the shared disclosure calendar (subscribable ICS) +- [community.disclose.io](https://community.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=community): the forum +- [blog.disclose.io](https://blog.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=blog): PolicyPulse and commentary ("Running With Scissors") +- [dates.disclose.io](https://dates.disclose.io/upcoming-dates.ics): the shared disclosure calendar (subscribable ICS) ## Open source -- [dioterms](https://github.com/disclose/dioterms?utm_source=universe&utm_medium=onepager&utm_campaign=dioterms) — CC0, lawyer-reviewed safe harbor policy templates -- [diodb](https://github.com/disclose/diodb?utm_source=universe&utm_medium=onepager&utm_campaign=diodb) — legacy open dataset (superseded by [directory.disclose.io](https://directory.disclose.io) as the system of record) -- [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker) — guided VDP policy generator +- [dioterms](https://github.com/disclose/dioterms?utm_source=universe&utm_medium=onepager&utm_campaign=dioterms): CC0, lawyer-reviewed safe harbor policy templates +- [diodb](https://github.com/disclose/diodb?utm_source=universe&utm_medium=onepager&utm_campaign=diodb): legacy open dataset (superseded by [directory.disclose.io](https://directory.disclose.io) as the system of record) +- [policymaker.disclose.io](https://policymaker.disclose.io?utm_source=universe&utm_medium=onepager&utm_campaign=policymaker): guided VDP policy generator ## Legal backstop -- [SRLDF](https://srldf.org?utm_source=universe&utm_medium=onepager&utm_campaign=srldf) — Security Research Legal Defense Fund +- [SRLDF](https://srldf.org?utm_source=universe&utm_medium=onepager&utm_campaign=srldf): Security Research Legal Defense Fund --- diff --git a/data/navigation/boxes.yaml b/data/navigation/boxes.yaml index 3fd5e79..3cdb178 100644 --- a/data/navigation/boxes.yaml +++ b/data/navigation/boxes.yaml @@ -6,7 +6,7 @@ url: "https://policymaker.disclose.io" - title: "I found a vulnerability" - description: "Look up who to report to. Lookup resolves any asset to its security contact, disclosure program, and safe harbor status — and helps you navigate the process." + description: "Look up who to report to. Lookup resolves any asset to its security contact, disclosure program, and safe harbor status, and helps you navigate the process." icon: "search" url: "https://lookup.disclose.io" diff --git a/data/partners.yaml b/data/partners.yaml index 80a1cc8..e0c2529 100644 --- a/data/partners.yaml +++ b/data/partners.yaml @@ -7,7 +7,7 @@ description: |

A 501(c)(3) nonprofit that helps fund legal representation for security researchers who face legal threats as a result of good-faith security research.

If you (or someone you know) is facing legal action for good-faith research, you can apply for a defense grant.

-

If you want to help keep the chilling effect in check, you can donate to the fund — donations are tax-deductible.

+

If you want to help keep the chilling effect in check, you can donate to the fund. Donations are tax-deductible.

- name: "The Hacking Games" short_name: "The Hacking Games" @@ -15,7 +15,7 @@ logo: "/uploads/partners/thehackinggames.png" logo_bg: "#000000" description: | -

A community and pipeline that helps unconventional thinkers — gamers, CTF players, and bug bounty hunters — turn their talents into legitimate cybersecurity careers.

+

A community and pipeline that helps unconventional thinkers (gamers, CTF players, and bug bounty hunters) turn their talents into legitimate cybersecurity careers.

If you've got the hacker mindset and are looking for a way in, join their Discord community.

If your organization wants to hire outside the traditional pipeline, work with them as a partner to connect with their talent pool.

@@ -25,5 +25,5 @@ logo: "/uploads/partners/hackersonthehill.svg" description: |

An I Am The Cavalry initiative that brings security researchers face-to-face with policymakers. Founded in 2017 and now global.

-

2026 events run in Den Haag (May 8) and Washington DC (June 16), with a new state-capitol pilot in Denver.

+

Events run across the US and Europe throughout the year.

If you're a researcher who wants policymakers to hear from you directly, join the mailing list to get notified about upcoming events.

diff --git a/data/superheroes.yaml b/data/superheroes.yaml index bde73b5..9554ae2 100644 --- a/data/superheroes.yaml +++ b/data/superheroes.yaml @@ -1,4 +1,4 @@ -# Internet superheroes — homepage section under "Why does disclose.io exist?" +# Internet superheroes: homepage section under "Why does disclose.io exist?" # Mirrors the 2023 archive (web.archive.org 20230208234037): display handle under avatar + tier beneath. # Avatar source: github (github.com/.png) or twitter (unavatar.io/twitter/). # Order and text are preserved from the archive HTML. diff --git a/layouts/_default/baseof.html b/layouts/_default/baseof.html index de7e0f7..a72ee2d 100644 --- a/layouts/_default/baseof.html +++ b/layouts/_default/baseof.html @@ -96,7 +96,7 @@ "applicationCategory": "SecurityApplication", "operatingSystem": "Web, API", "url": "https://vault.disclose.io/", - "description": "Cryptographic timelock-encrypted vulnerability disclosure deadline enforcer. Once committed, the disclosure cannot be suppressed — on expiry it becomes publicly readable.", + "description": "Cryptographic timelock-encrypted vulnerability disclosure deadline enforcer. Once committed, the disclosure cannot be suppressed, on expiry it becomes publicly readable.", "offers": { "@type": "Offer", "price": "0", "priceCurrency": "USD" }, "provider": { "@id": "https://disclose.io/#org" } }, @@ -180,7 +180,7 @@ {{/* Mobile menu */}} {{ partial "mobile-menu.html" . }} - {{/* Google Analytics — loader, cross-domain linker, event tracking */}} + {{/* Google Analytics, loader, cross-domain linker, event tracking */}} {{ if eq hugo.Environment "production" }} {{ partial "analytics.html" . }} {{ end }} diff --git a/layouts/_default/threats.html b/layouts/_default/threats.html index 4a1ffb1..f3498d2 100644 --- a/layouts/_default/threats.html +++ b/layouts/_default/threats.html @@ -103,7 +103,7 @@

{{ .Title }}

list-style-type: disc; } - /* Table wrapper — card style matching platforms */ + /* Table wrapper, card style matching platforms */ .threats-content table { width: 100%; border-collapse: collapse; @@ -115,7 +115,7 @@

{{ .Title }}

box-shadow: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1); } - /* Table headers — sticky */ + /* Table headers, sticky */ .threats-content thead th { background: hsla(240, 8%, 97%, 1); color: #111827; @@ -142,7 +142,7 @@

{{ .Title }}

background: hsla(240, 8%, 97%, 1); } - /* Column widths — When/Entity/Researcher/Topic compact, Status gets space */ + /* Column widths, When/Entity/Researcher/Topic compact, Status gets space */ .threats-content td:nth-child(1) { /* When */ white-space: nowrap; width: 7rem; @@ -156,13 +156,13 @@

{{ .Title }}

.threats-content td:nth-child(4) { /* Topic */ width: 14rem; } - .threats-content td:nth-child(5) { /* Status — gets remaining space, word-wrap */ + .threats-content td:nth-child(5) { /* Status, gets remaining space, word-wrap */ word-wrap: break-word; overflow-wrap: break-word; min-width: 20rem; } - /* Links — purple */ + /* Links, purple */ .threats-content a { color: #673ab6; font-weight: 500; diff --git a/layouts/partials/analytics.html b/layouts/partials/analytics.html index f09eeca..7f5b166 100644 --- a/layouts/partials/analytics.html +++ b/layouts/partials/analytics.html @@ -1,5 +1,5 @@ {{/* - Analytics partial — GA4 loader + event tracking. + Analytics partial, GA4 loader + event tracking. Safe to include unconditionally; it self-guards against dev/local/staging hostnames at runtime (in addition to Hugo's environment gate in baseof). @@ -7,11 +7,11 @@ Emits: - Standard page_view / session_start / first_visit via gtag config - Enhanced Measurement events (scroll, outbound click, file_download, - view_search_results, video_*, form_*) — configured server-side in GA4 - - `outbound` with {link_class, link_domain, link_url} — classifies all + view_search_results, video_*, form_*), configured server-side in GA4 + - `outbound` with {link_class, link_domain, link_url}, classifies all external clicks (github-framework, github, platform, social, ally, other) - - `search` with {search_term} — debounced Pagefind input events - - `search_zero_results` with {search_term} — detected via MutationObserver + - `search` with {search_term}, debounced Pagefind input events + - `search_zero_results` with {search_term}, detected via MutationObserver Cross-domain linker covers the *.disclose.io family so users bouncing between disclose.io and directory/policymaker/lookup/community/blog/vault @@ -53,7 +53,7 @@ if (window.console) console.info('[ga4] internal flag CLEARED for this browser'); } else { localStorage.setItem('ga4_internal', '1'); - if (window.console) console.info('[ga4] internal flag SET — traffic from this browser will be excluded from reports'); + if (window.console) console.info('[ga4] internal flag SET, traffic from this browser will be excluded from reports'); } } internalFlag = localStorage.getItem('ga4_internal') === '1'; diff --git a/layouts/partials/footer.html b/layouts/partials/footer.html index 78d5a2a..d8f090d 100644 --- a/layouts/partials/footer.html +++ b/layouts/partials/footer.html @@ -7,7 +7,7 @@ disclose.io

- The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting — safe, simple, and standardized for everyone. + The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone.

diff --git a/layouts/partials/hero.html b/layouts/partials/hero.html index 12870eb..5b4c61d 100644 --- a/layouts/partials/hero.html +++ b/layouts/partials/hero.html @@ -22,7 +22,7 @@

{{ . }} diff --git a/layouts/partials/newsletter-cta.html b/layouts/partials/newsletter-cta.html index cb98a3b..967d52e 100644 --- a/layouts/partials/newsletter-cta.html +++ b/layouts/partials/newsletter-cta.html @@ -1,4 +1,4 @@ -{{/* Newsletter CTA — extracted from layouts/index.html so it can be reused on +{{/* Newsletter CTA, extracted from layouts/index.html so it can be reused on high-engagement pages (platforms, programs, threats, framework) to convert net-new users into returning ones. Per GA 2026-05 read: returning users engage at 2x but are only ~9% of audience. This is the loop-closer. */}} diff --git a/layouts/partials/page-tldr.html b/layouts/partials/page-tldr.html index a425bbb..d328fb9 100644 --- a/layouts/partials/page-tldr.html +++ b/layouts/partials/page-tldr.html @@ -1,4 +1,4 @@ -{{/* Quote-friendly TL;DR block — renders if a page has `tldr` in frontmatter. +{{/* Quote-friendly TL;DR block, renders if a page has `tldr` in frontmatter. Designed for LLM/AI crawlers to lift verbatim. Keep tldr to 2-3 sentences, written as standalone fact statements that read well out of context. */}} {{ with .Params.tldr }} diff --git a/layouts/partials/superheroes.html b/layouts/partials/superheroes.html index af0c146..51dc612 100644 --- a/layouts/partials/superheroes.html +++ b/layouts/partials/superheroes.html @@ -1,4 +1,4 @@ -{{/* Internet superheroes section — homepage, immediately under the "Why does disclose.io exist?" videos block. +{{/* Internet superheroes section, homepage, immediately under the "Why does disclose.io exist?" videos block. Tight 10-across grid on sm+; handle under avatar; tier labels hidden to keep vertical rhythm clean. */}} {{ $superheroes := site.Data.superheroes }} {{ if $superheroes }} @@ -18,7 +18,7 @@

{{ if .url }} - + {{ if .avatar }} {{ $display }} {{ else }} diff --git a/layouts/sitemap.xml b/layouts/sitemap.xml index e034cab..8e2916b 100644 --- a/layouts/sitemap.xml +++ b/layouts/sitemap.xml @@ -15,7 +15,7 @@ {{- end }} {{- end }} - {{/* AI-readable canonical files — Hugo doesn't add /static/ files to the sitemap automatically, + {{/* AI-readable canonical files, Hugo doesn't add /static/ files to the sitemap automatically, and llms-full.txt is generated at build time as a separate output format. Include them explicitly so search engines and AI crawlers find them. */}} diff --git a/scripts/preprocess-framework.js b/scripts/preprocess-framework.js index ad72470..2343b84 100644 --- a/scripts/preprocess-framework.js +++ b/scripts/preprocess-framework.js @@ -127,7 +127,37 @@ function writeIfChanged(outPath, body) { return 'written'; } -function processFile({ src, out, title, description, weight, license, replaceVariables: doReplace, stripFirstH1: doStrip, extra }) { +// Replace em-dashes with sensible punctuation so generated pages match the +// disclose.io house style (no em-dashes). Applied to maturity descriptions +// (disclose.io's own content) only — NOT the canonical legal terms or the +// externally-attributed practices doc. +function dedashText(text) { + return text.split('\n').map((line) => { + const isHeading = /^\s{0,3}#{1,6}\s/.test(line); + const isLabel = /^\s*(title|name)\s*[:=]/.test(line); + let out = ''; + let i = 0; + let first = true; + while (i < line.length) { + if (line[i] === ' ' && line[i + 1] === '—' && line[i + 2] === ' ') { + const prev = out.length ? out[out.length - 1] : ''; + const colon = prev === ')' || prev === '*' || ((isHeading || isLabel) && first); + out += colon ? ': ' : ', '; + i += 3; first = false; continue; + } + if (line[i] === '—') { + if (out.endsWith(' ')) out = out.slice(0, -1); + out += ','; i += 1; + if (line[i] !== ' ') out += ' '; + continue; + } + out += line[i]; i += 1; + } + return out; + }).join('\n'); +} + +function processFile({ src, out, title, description, weight, license, replaceVariables: doReplace, stripFirstH1: doStrip, dedash: doDedash, extra }) { const srcPath = path.join(SRC, src); if (!fs.existsSync(srcPath)) { console.warn(`[skip] source not found: ${src}`); @@ -137,6 +167,7 @@ function processFile({ src, out, title, description, weight, license, replaceVar if (doStrip) content = stripFirstH1(content); if (doReplace) content = replaceVariables(content); content = rewriteLinks(content); + if (doDedash) content = dedashText(content); const body = frontMatter({ title, description, weight, license, extra }) + content.trimStart(); const outPath = path.join(OUT, out); const status = writeIfChanged(outPath, body); @@ -176,11 +207,12 @@ function main() { const p = processFile({ src: m.src, out: `maturity/${m.slug}.md`, - title: m.title, + title: m.title.replace(/\s—\s/g, ': '), description: m.description, weight: m.weight, replaceVariables: false, stripFirstH1: true, + dedash: true, }); if (p) { wrote.add(p); count++; } } diff --git a/static/images/universe-diagram.svg b/static/images/universe-diagram.svg index 4624be7..80bff73 100644 --- a/static/images/universe-diagram.svg +++ b/static/images/universe-diagram.svg @@ -1,5 +1,5 @@ - The disclose.io Universe — ecosystem map + The disclose.io Universe: ecosystem map A diagram showing how disclose.io components relate: the framework at the core, tools and open-source projects helping organizations climb the DIOstatus maturity ladder and helping researchers operate around it, with community support and SRLDF legal backstop. @@ -155,7 +155,7 @@ Community community.disclose.io - the forum — peer support across every level + the forum: peer support across every level diff --git a/static/internal/utm-builder.html b/static/internal/utm-builder.html index 5744eb2..954daa2 100644 --- a/static/internal/utm-builder.html +++ b/static/internal/utm-builder.html @@ -4,7 +4,7 @@ -UTM Builder — disclose.io internal +UTM Builder: disclose.io internal