Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/_default/hugo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ pygmentsUseClasses = true
endLevel = 4
ordered = false

# Taxonomies (disabled no content uses tags or categories)
# Taxonomies (disabled: no content uses tags or categories)
[taxonomies]

# Permalinks
Expand Down
29 changes: 22 additions & 7 deletions config/_default/menus.toml
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,21 @@
url = "/history/"
weight = 40

[[footer_resources]]
name = "Directory"
url = "https://directory.disclose.io"
weight = 45

[[footer_resources]]
name = "Scoreboard"
url = "https://state.disclose.io"
weight = 50

[[footer_resources]]
name = "Vault"
url = "https://vault.disclose.io"
weight = 55

# Footer navigation - Community
[[footer_community]]
name = "GitHub"
Expand Down Expand Up @@ -224,7 +239,7 @@
parent = "Community"
weight = 20

# Framework sidebar navigation three pillars
# Framework sidebar navigation: three pillars
[[framework]]
name = "Overview"
url = "/framework/"
Expand Down Expand Up @@ -277,37 +292,37 @@
weight = 5

[[framework]]
name = "Level 0 Not Present"
name = "Level 0: Not Present"
url = "/framework/maturity/level-0/"
parent = "Maturity (diostatus)"
weight = 10

[[framework]]
name = "Level 1 Contact Only"
name = "Level 1: Contact Only"
url = "/framework/maturity/level-1/"
parent = "Maturity (diostatus)"
weight = 20

[[framework]]
name = "Level 2 Basic VDP"
name = "Level 2: Basic VDP"
url = "/framework/maturity/level-2/"
parent = "Maturity (diostatus)"
weight = 30

[[framework]]
name = "Level 3 Partial Safe Harbor"
name = "Level 3: Partial Safe Harbor"
url = "/framework/maturity/level-3/"
parent = "Maturity (diostatus)"
weight = 40

[[framework]]
name = "Level 4 Full Safe Harbor"
name = "Level 4: Full Safe Harbor"
url = "/framework/maturity/level-4/"
parent = "Maturity (diostatus)"
weight = 50

[[framework]]
name = "Level 5 Full Safe Harbor + CVD"
name = "Level 5: Full Safe Harbor + CVD"
url = "/framework/maturity/level-5/"
parent = "Maturity (diostatus)"
weight = 60
Expand Down
2 changes: 1 addition & 1 deletion config/_default/params.toml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Site metadata
description = "disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for security researchers."
description = "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone."
author = "disclose.io"

# Social/SEO
Expand Down
7 changes: 4 additions & 3 deletions content/_index.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
---
title: "disclose.io"
description: "We're here to make vulnerability disclosure safe, simple, and standardized for everyone."
description: "The open, vendor-neutral infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone."
hero:
title: "disclose.io"
subtitle: "We're here to make vulnerability disclosure safe, simple, and standardized for everyone."
subtitle: "The infrastructure that powers vulnerability disclosure and security reporting. Safe, simple, and standardized for everyone."
supporting: "Open source · vendor-neutral · home of the safe-harbor scoreboard."
image: "uploads/tug-of-war.png"
search: true
buttons:
Expand All @@ -18,7 +19,7 @@ faq:
subtitle: "Got a quick question? Let's get you a quick answer"
partners:
title: "Partners and friends"
subtitle: "Organizations that share our mission — folks worth knowing, and ways to engage with them"
subtitle: "Organizations that share our mission, and ways to engage with them"
videos:
title: "Why does disclose.io exist?"
subtitle: "A couple of talks to get you started..."
Expand Down
2 changes: 1 addition & 1 deletion content/contact.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ description: "Got questions, suggestions, or want to start a disclose.io project

We'd love to hear from you! Reach out to us at [hello@disclose.io](mailto:hello@disclose.io).

You can also say hello over at the [disclose.io Community Discourse](https://community.disclose.io) contributors to disclose.io as well as many from the finder, builder, CERT, and facilitator communities are there.
You can also say hello over at the [disclose.io Community Discourse](https://community.disclose.io): contributors to disclose.io as well as many from the finder, builder, CERT, and facilitator communities are there.
32 changes: 16 additions & 16 deletions content/docs/advocacy-and-activism.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,22 @@ weight: 120

Following is a collection of letters and statements that disclose.io and/or its members have either co-authored or joined as a signatory, in reverse chronological order:

- [Comments on NIST Cyber AI Profile](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hacking-policy-council-comment-on-nist-cyber-ai-profile) (February 2026) Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST's Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems.
- [Comments on EU CRA Delegated Act on Delaying Incident Notifications](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hpc-comment-on-eu-cra-delegated-act-on-delaying-dissemination-of-notifications-about-vulnerabilities-and-incidents) (December 2025) Joint Cybersecurity Coalition and HPC comments urging the European Commission to make the 72-hour timeframe for mitigation measures more flexible.
- [Letter in Support for Reauthorization of the Cybersecurity Information Sharing Act of 2015](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/686c033e68c8113961b742d7_HPC%20Letter%20of%20Support%20for%20CISA%202015.pdf) (July 2025) HPC letter to Congress urging reauthorization of CISA 2015 before its expiration.
- [Comments on the Development of an AI Action Plan](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/67daf93765b1ddf7ae51346d_Hacking%20Policy%20Council%20-%20White%20House%20AI%20Action%20Plan%20Comments.pdf) (March 2025) HPC comments to the White House on AI security testing and vulnerability disclosure as part of the national AI Action Plan.
- [Resource on Vulnerability Management under the EU Cyber Resilience Act](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/672a576c4b934de1bc54a95e_HPC%20-%20CRA%20and%20vuln%20management%20resource%20-%20updated%2020241028.pdf) (October 2024) HPC guidance on vulnerability management obligations under the EU CRA framework.
- [Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA)](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66ba3e8ca62102990d3d1f77_Hacking%20Policy%20Council%20-%20CIRCIA%20Comments%20-%2020240703%20(1).pdf) (July 2024) HPC comments on how incident reporting requirements interact with security research and vulnerability disclosure.
- [Reply Comments for DMCA Section 1201 Exemption for Generative AI Research](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66310fc53222d7e3da10c1c9_Hacking%20Policy%20Council%20reply%20comments%20on%20the%20Ninth%20Triennial%20Proceeding%20-%2020240319.pdf) (March 2024) HPC reply comments in the Ninth Triennial Proceeding. The Copyright Office subsequently clarified that prompt injection, jailbreaking, and rate limit bypass do not violate DMCA Section 1201.
- [Joint Letter of Experts on CRA and Vulnerability Disclosure](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure) (October 2023) Open letter signed by 50+ cybersecurity experts opposing the EU CRA's Article 11 requirement for 24-hour disclosure of actively exploited unpatched vulnerabilities.
- [AI Red Teaming: Recommendations for Legal Clarity and Liability Protections](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/6579fcd1b821fdc1e507a6d0_Hacking-Policy-Council-statement-on-AI-red-teaming-protections-20231212.pdf) (December 2023) HPC recommendations establishing that AI red teaming needs legal safe harbors similar to those for traditional security research.
- [Position Statement on State Charging Policies for Security Researchers](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/64d3d1e780453a690d637186_HPC%20statement%20on%20state%20charging%20policy%20reform%20-%20August%202023.pdf) (August 2023) HPC statement addressing the risk that state prosecutors can pursue CFAA-style cases that federal prosecutors would decline, calling for reform of state-level charging policies.
- [Joint Letter to OFAC re Vulnerability Guidance](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-to-ofac-re-vulnerability-guidance) (May 2023) HPC letter requesting OFAC clarify that receiving vulnerability disclosures from individuals in sanctioned countries is not restricted under sanctions.
- [Security Researcher Statement on the DMCA](https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement) (June 2021) EFF statement on DMCA exemptions for good-faith security research, co-signed by disclose.io and others.
- [Calling for Cybersecurity in Critical Infrastructure Modernization](https://www.rapid7.com/blog/post/2021/05/21/calling-for-cybersecurity-in-critical-infrastructure-modernization/) (May 2021) Coalition letter urging Congress and the Biden Administration to integrate cybersecurity requirements into infrastructure modernization legislation.
- [An Open Letter on Election Security](https://www.eff.org/deeplinks/2020/11/elections-are-partisan-affairs-election-security-isnt) (November 2020) Open letter alongside the EFF, Bugcrowd, the Centre for Democracy and Technology, Verified Voting, and others.
- [Open Letter to Columbus City Attorney Zach Klein](/uploads/open_letter_columbus_attorney_zach_klein.pdf) Regarding the prosecution of a security researcher who reported vulnerabilities in city election systems.
- [Response to Voatz](/voatz-response-letter) Addressing Voatz's claims about security researchers who identified vulnerabilities in their mobile voting application.
- [Comments on NIST Cyber AI Profile](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hacking-policy-council-comment-on-nist-cyber-ai-profile) (February 2026): Joint Cybersecurity Coalition and Hacking Policy Council comments on NIST's Cybersecurity AI Community Profile, recommending lifecycle-based AI risk management and recognition of red teaming and bug bounty programs for AI systems.
- [Comments on EU CRA Delegated Act on Delaying Incident Notifications](https://www.centerforcybersecuritypolicy.org/insights-and-research/cybersecurity-coalition-hpc-comment-on-eu-cra-delegated-act-on-delaying-dissemination-of-notifications-about-vulnerabilities-and-incidents) (December 2025): Joint Cybersecurity Coalition and HPC comments urging the European Commission to make the 72-hour timeframe for mitigation measures more flexible.
- [Letter in Support for Reauthorization of the Cybersecurity Information Sharing Act of 2015](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/686c033e68c8113961b742d7_HPC%20Letter%20of%20Support%20for%20CISA%202015.pdf) (July 2025): HPC letter to Congress urging reauthorization of CISA 2015 before its expiration.
- [Comments on the Development of an AI Action Plan](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/67daf93765b1ddf7ae51346d_Hacking%20Policy%20Council%20-%20White%20House%20AI%20Action%20Plan%20Comments.pdf) (March 2025): HPC comments to the White House on AI security testing and vulnerability disclosure as part of the national AI Action Plan.
- [Resource on Vulnerability Management under the EU Cyber Resilience Act](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/672a576c4b934de1bc54a95e_HPC%20-%20CRA%20and%20vuln%20management%20resource%20-%20updated%2020241028.pdf) (October 2024): HPC guidance on vulnerability management obligations under the EU CRA framework.
- [Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA)](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66ba3e8ca62102990d3d1f77_Hacking%20Policy%20Council%20-%20CIRCIA%20Comments%20-%2020240703%20(1).pdf) (July 2024): HPC comments on how incident reporting requirements interact with security research and vulnerability disclosure.
- [Reply Comments for DMCA Section 1201 Exemption for Generative AI Research](https://cdn.prod.website-files.com/660ab0cd271a25abeb800453/66310fc53222d7e3da10c1c9_Hacking%20Policy%20Council%20reply%20comments%20on%20the%20Ninth%20Triennial%20Proceeding%20-%2020240319.pdf) (March 2024): HPC reply comments in the Ninth Triennial Proceeding. The Copyright Office subsequently clarified that prompt injection, jailbreaking, and rate limit bypass do not violate DMCA Section 1201.
- [Joint Letter of Experts on CRA and Vulnerability Disclosure](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure) (October 2023): Open letter signed by 50+ cybersecurity experts opposing the EU CRA's Article 11 requirement for 24-hour disclosure of actively exploited unpatched vulnerabilities.
- [AI Red Teaming: Recommendations for Legal Clarity and Liability Protections](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/6579fcd1b821fdc1e507a6d0_Hacking-Policy-Council-statement-on-AI-red-teaming-protections-20231212.pdf) (December 2023): HPC recommendations establishing that AI red teaming needs legal safe harbors similar to those for traditional security research.
- [Position Statement on State Charging Policies for Security Researchers](https://cdn.prod.website-files.com/62713397a014368302d4ddf5/64d3d1e780453a690d637186_HPC%20statement%20on%20state%20charging%20policy%20reform%20-%20August%202023.pdf) (August 2023): HPC statement addressing the risk that state prosecutors can pursue CFAA-style cases that federal prosecutors would decline, calling for reform of state-level charging policies.
- [Joint Letter to OFAC re Vulnerability Guidance](https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-to-ofac-re-vulnerability-guidance) (May 2023): HPC letter requesting OFAC clarify that receiving vulnerability disclosures from individuals in sanctioned countries is not restricted under sanctions.
- [Security Researcher Statement on the DMCA](https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement) (June 2021): EFF statement on DMCA exemptions for good-faith security research, co-signed by disclose.io and others.
- [Calling for Cybersecurity in Critical Infrastructure Modernization](https://www.rapid7.com/blog/post/2021/05/21/calling-for-cybersecurity-in-critical-infrastructure-modernization/) (May 2021): Coalition letter urging Congress and the Biden Administration to integrate cybersecurity requirements into infrastructure modernization legislation.
- [An Open Letter on Election Security](https://www.eff.org/deeplinks/2020/11/elections-are-partisan-affairs-election-security-isnt) (November 2020): Open letter alongside the EFF, Bugcrowd, the Centre for Democracy and Technology, Verified Voting, and others.
- [Open Letter to Columbus City Attorney Zach Klein](/uploads/open_letter_columbus_attorney_zach_klein.pdf): Regarding the prosecution of a security researcher who reported vulnerabilities in city election systems.
- [Response to Voatz](/voatz-response-letter): Addressing Voatz's claims about security researchers who identified vulnerabilities in their mobile voting application.

## Hacking Policy Council

Expand Down
2 changes: 1 addition & 1 deletion content/docs/contributors.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: "Contributors"
slug: "open-source-contributors"
description: "The people behind disclose.io legends, maintainers, and open-source contributors keeping the Internet safer."
description: "The people behind disclose.io, legends, maintainers, and open-source contributors keeping the Internet safer."
weight: 80
---

Expand Down
4 changes: 2 additions & 2 deletions content/docs/key-objectives.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ weight: 40

- **Create a vibrant community** that blends [security researchers, policymakers, lawyers, and technology vendors](https://community.disclose.io) to foster collaboration, and creates high-quality tools and data that support a virtuous cycle.
- Help organizations **promote adoption and excellence** to their customers, industry peers, and the security community.
- Maintain a [vulnerability disclosure policy maturity model](/docs/diostatus/) and **create a "race to the top"** for VDP adoption and the implementation of best practice.
- **Be the system of record** for the Disclose.io Status of a policy, provide easy mechanisms for anyone to lookup a target/organization, or to update their status.
- Maintain a [maturity model](/framework/maturity/) and drive a **race to the top**, published as the evidence-backed [safe-harbor scoreboard](https://state.disclose.io/top-100/).
- **Be the [open system of record](https://directory.disclose.io)** for every program's disclosure status, and let anyone [look one up](https://lookup.disclose.io) or update it.
- **Drive the state of the art** in thinking around legal risks faced for security researchers and the steps organizations can take to reduce them.
- [Make tools and techniques](https://github.com/disclose) **freely available** to technology vendors to ease the socialization and adoption of VDP.
Loading
Loading