Researcher Documentation

Welcome to the researcherdocs developer hub. You'll find comprehensive guides and documentation to help you start working with researcherdocs as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started

Disclose.io and Safe Harbor

Disclose.io

disclose.io is a collaborative, open source and vendor-agnostic project to standardize best practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs. The disclose.io legal framework is designed to balance:

  • Legal completeness
  • Safe harbor for security researchers
  • Safe harbor for program owners
  • Readability for those who do not have a legal background or who do not speak English as a first language

Programs displaying the disclose.io logo are committing to a set of Core Terms focused on creating a safe harbor for good-faith security research. In order to uphold this commitment, Bugcrowd recommends program owners provide the following:

  • Scope – an exhaustive list of “In-Scope” properties that the organization is explicitly providing safe harbor for the good-faith security testing of, and optionally, a non-exhaustive list of “Out-of-Scope” properties that the organization strongly wishes to discourage testing against (on top of the implicit lack of safe harbor or authorization for security testing)
  • Rewards – whether compensation will be provided for (valid, unique) issues, as well as the form and magnitude of that compensation
  • Official Communication Channels – an exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating about any information associated with potential vulnerabilities
  • Disclosure Policy – an explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include:
    -- Coordinated Disclosure: Vulnerability details may be shared with third parties after the vulnerability has been fixed and the Program Owner has provided permission to disclose.
    -- Discretionary Disclosure: Vulnerability details may be shared with third parties only after requesting and receiving explicit permission from the Program Owner.
    -- Non-Disclosure: Vulnerability details (and the existence of the program itself if private) cannot be shared with third parties.

Safe Harbor

Full safe harbor status (“Safe harbor”) is granted to programs that are committing to all the requirements listed above. Programs that have not met all of the requirements for providing full safe harbor (e.g. do not sufficiently define the terms as outlined in the above requirements) are granted partial safe harbor status (“Partial safe harbor”), which does not represent the same level of commitment as full safe harbor does.

You may now see whether a program is committed to providing safe harbor in both the program briefs and the program page.

Safe harbor icons in programs page.

Full safe harbor icon in a program brief.

Partial safe harbor icon in a program brief.

Disclose.io and Safe Harbor


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.