disclose.io is a collaborative, open source and vendor-agnostic project to standardize best practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs. The disclose.io legal framework is designed to balance:
- Legal completeness
- Safe harbor for security researchers
- Safe harbor for program owners
- Readability for those who do not have a legal background or who do not speak English as a first language
Programs displaying the disclose.io logo are committing to a set of Core Terms focused on creating a safe harbor for good-faith security research. In order to uphold this commitment, Bugcrowd recommends program owners provide the following:
- Scope – an exhaustive list of “In-Scope” properties that the organization is explicitly providing safe harbor for the good-faith security testing of, and optionally, a non-exhaustive list of “Out-of-Scope” properties that the organization strongly wishes to discourage testing against (on top of the implicit lack of safe harbor or authorization for security testing)
- Rewards – whether compensation will be provided for (valid, unique) issues, as well as the form and magnitude of that compensation
- Official Communication Channels – an exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating about any information associated with potential vulnerabilities
- Disclosure Policy – an explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include:
-- Coordinated Disclosure: Vulnerability details may be shared with third parties after the vulnerability has been fixed and the Program Owner has provided permission to disclose.
-- Discretionary Disclosure: Vulnerability details may be shared with third parties only after requesting and receiving explicit permission from the Program Owner.
-- Non-Disclosure: Vulnerability details (and the existence of the program itself if private) cannot be shared with third parties.
Full safe harbor status (“Safe harbor”) is granted to programs that are committing to all the requirements listed above. Programs that have not met all of the requirements for providing full safe harbor (e.g. do not sufficiently define the terms as outlined in the above requirements) are granted partial safe harbor status (“Partial safe harbor”), which does not represent the same level of commitment as full safe harbor does.
You may now see whether a program is committed to providing safe harbor in both the program briefs and the program page.
Safe harbor icons in programs page.
Full safe harbor icon in a program brief.
Partial safe harbor icon in a program brief.