A brief history of vulnerability disclosure

Major events in the standardization of vulnerability reporting and disclosure

It’s easy to look at the steadily improving relationship between hackers and companies and presume that it has always been this way, but that is far from the truth.

This timeline captures some of the major events in the standardization of vulnerability reporting and disclosure, as well as the origins of The disclose.io Project.

Got a suggestion for this timeline? Send a pull request!

Oct 10, 1995

Netscape

The first technology "bugs bounty" is launched by Netscape

Sep 28, 2001

RFPolicy

Version 1 of the Rain Forest Puppy disclosure policy template is released

Feb, 2012

ISO 24197/30111

ISO 24197/30111 released for paying customers

Jul 24, 2014

OSVDF

Bugcrowd and Cipherlaw collaborate to release the Open Source Vulnerability Disclosure Framework

Apr 18, 2016

Free ISO 24197

ISO 24197 made free to download

2018

#legalbugbounty

Amit Elazari hits the cybersecurity talk circuit talking about legal "safe harbor" for hackers

Aug 3, 2018

Disclose.io launch

Oct, 2019

ISO/IEC 30111:2019

Updated vulnerability handling processes standard published

Sep 2, 2020

CISA BOD 20-01

Binding Operational Directive requires all US federal civilian agencies to publish VDPs

Sep, 2020

UK Vulnerability Disclosure Toolkit

UK NCSC releases comprehensive VDP guidance and templates

Jun 3, 2021

Van Buren v. United States

Jul 30, 2021

CISA VDP Platform

CISA launches centralized VDP platform for federal agencies

Apr, 2022

RFC 9116 (security.txt)

IETF standardizes machine-readable format for vulnerability disclosure policies

May 19, 2022

DOJ Good-Faith Security Research Policy

DOJ announces it will not prosecute good-faith security research under CFAA

Dec 14, 2022

NIS2 Directive

May, 2023

NIST SP 800-216

NIST publishes federal vulnerability disclosure guidelines framework

Apr 29, 2024

UK PSTI Act Enforced

First law requiring VDPs for consumer IoT devices takes effect

Dec 10, 2024

EU Cyber Resilience Act

EU regulation mandating VDPs for all products with digital elements enters force

May 13, 2025

ENISA European Vulnerability Database

EU launches centralized vulnerability database per NIS2 mandate