disclose.io

• Hackers and Finders: You want to help, and you’re not sure that you’re welcome - We want to help you make safe decisions and connect you to the right people to take action on your input
• Legal teams: Vulnerability reporting and research is tricky, and inviting the help of hackers is still legally novel territory - We want to make it simple for you to make consensus-backed recommendations
• Organizations: Vulnerabilities are inherent to innovation, but it still takes guts to say so - We want to help you say so loudly and proudly
• Security Researchers: You’ve been waiting for the red carpet - We’ll help you find it

Most of the existing anti-hacking laws pre-date the notion of hacking for good or widespread knowledge of the “digital locksmiths” who are increasingly influencing modern-day digital safety.

These anti-hacking laws have been used by organizations to suppress good-faith security research in the pursuit of limiting negative publicity for the vendor, which nets out to a “chilling effect” on the input from the people the Internet needs to hear from most. If hackers are the Internet’s Immune System, then right now, even in 2026, the Internet still has an auto-immune problem.

“Safe Harbor” is the term used to describe clauses added to public policies which allow folks acting in good faith, as defined clearly and proactively by the recipient, to provide security feedback without fear of legal repercussions.

disclose.io intends to help define, spread, and reward the adoption of vulnerability disclosure programs with best practices like Safe Harbor.

Glad you asked!

• Start a vulnerability disclosure program (VDP), or upgrade your VDP or bug bounty program to include best practices like Safe Harbor and proactive disclosure timelines
• Join the community, contribute or assist with vulnerability research, and help finders connect with security teams to alert them of identified risks
• Help us keep “The Big List” of known VDPs and bug bounty programs up-to-date by submitting a PR to the dioterms repo
• Contribute to the dioterms open-source vulnerability disclosure policy by raising an issue on the repo… or add a language or regional legal translation by submitting a PR
• Volunteer as a core contributor/maintainer on one of our existing projects
• Recommend a new project to support our mission to make vulnerability disclosure safe, simple, and standardized.

disclose.io was formed as a merge of separate standardization projects initiated by RainForest Puppy, Bugcrowd, Cipherlaw, Dropbox, Dr. Amit Elazari, UC Berkeley, the National Transport and Information Authority, the US Department of Justice, and others.

We’re currently in the process of incorporating and pursuing status as a 501.c3 Not For Profit.

While we’ve engaged the legal opinion of many, this does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization.