disclose.io is a collaborative, open source and vendor-agnostic project to standardize best practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs. The disclose.io legal framework is designed to balance:
- Legal completeness
- Safe harbor for security researchers
- Safe harbor for program owners
- Readability for those who do not have a legal background or who do not speak English as the first language
Programs displaying the disclose.io logo are committing to a set of core terms that is focused on creating a safe harbor for good-faith security research. To uphold this commitment, Bugcrowd recommends Program Owners provide the following:
- Scope: An exhaustive list of In-Scope properties that the organization is explicitly providing safe harbor for the good-faith security testing, and optionally, a non-exhaustive list of Out-of-Scope properties that the organization strongly wants to discourage testing (on top of the implicit lack of safe harbor or authorization for security testing).
- Rewards: Indicate whether compensation will be provided for valid and unique issues and the form and magnitude of that compensation.
- Official communication channels: An exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating about any information associated with potential vulnerabilities.
Disclosure policy: An explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include:
- Coordinated Disclosure: Vulnerability details may be shared with third parties after the vulnerability has been fixed and the Program Owner has provided permission to disclose.
- Discretionary Disclosure: Vulnerability details may be shared with third parties only after requesting and receiving explicit permission from the Program Owner.
- Non-Disclosure: Vulnerability details (and the existence of the program itself if private) cannot be shared with third parties.
Full safe harbor status (Safe harbor) is granted to programs that are committing to all the requirements mentioned in the preceding section. above. Programs that have not met all the requirements for providing full safe harbor (example, do not sufficiently define the terms as outlined in the requirements) are granted partial safe harbor status (Partial safe harbor), which does not represent the same level of commitment as full safe harbor.
You can view whether a program is committed to providing safe harbor in both the Program briefs and the Program page.
Safe harbor icons in Program page.
Full safe harbor icon in Program Brief.
Partial safe harbor icon in Program brief.