A true, community-powered, vendor agnostic directory of all known VDP and BBPs, contact details, policy location, preferred languages, and the status of:
|Search through the database front-end||https://disclose.io/programs|
|Download the raw database in .json format||https://github.com/disclose/diodb/raw/master/program-list.json|
|Join disclose.io Community Forum||https://community.disclose.io|
|Create a Vulnerability Disclosure Program (VDP)||https://github.com/disclose/dioterms|
diodb exists to drive the adoption of Safe Harbor for hackers and promote the cybersecurity posture of early adopters, simplify the process of finding the right contacts and channel at an organization, and help both finders and vendors align around the expectations of engagement. It also provides a simple, vendor-agnostic point of engagement for program operators, potential program operators, and the security community to maintain updates to their program.
If you have new VDP or bug bounty program information to add, update, or delete in the #diodb open-source vulnerability disclosure and bug bounty program list, we'd love you to contribute by issuing a Pull Request.
Programs on the bug-bounty-list need to satisfy the definition of a public bug bounty or vulnerability disclosure program, which means they need two key components:
If you work with an organization like this, encourage them to launch a formal and public program and point them to disclose.io for helpful tools to assist them along the way!
Remember, the goal of The disclose.io Project is to drive the adoption of VDP with best practices, so we'll only accept entries that satisfy the Policy and Intake requirement above.
Sometimes, organizations have informal vulnerability reporting setups. While these organizations provide lucky or persistent folks with the option to report issues, this arrangement does NOT constitute a formally established and fully endorsed public VDP.
Some examples of this include:
disclose by disclose.io is licensed under a Creative Commons Attribution 4.0 International License. 3. Does the policy talk about "not legally pursuing researchers" or use similar language, but does not explicitly grant authorization and/or exemption for security testing? Are any of the key parameters described above ambiguously defined or missing completely? If so, you should choose "Partial".