Dioterms
Open-source vulnerability disclosure policy templates.
Overview
The disclose.io Terms (dioterms) offer a comprehensive and flexible framework for organizations looking to implement vulnerability disclosure programs and bug bounty programs. These terms are designed to provide clarity and safety for both security researchers and vendors, ensuring a collaborative approach to addressing security vulnerabilities. Understanding and correctly utilizing these terms can significantly enhance an organization’s cybersecurity posture while fostering goodwill with ethical hackers.
The document outlines various core terms, modules, and templates that can be tailored to fit the specific needs of an organization, considering regional laws and industry nuances. By utilizing this framework, companies can effectively engage with the security community, enabling a smoother and safer disclosure process.
Features
-
Core Terms: Designed for maximum flexibility, these terms uphold bi-lateral safety and readability, catering to diverse legal environments for both finders and vendors.
-
Core Modules: These modules extend upon the core terms, serving as the foundation for language and regional legal translations to ensure broad applicability.
-
Regionalized Terms: Contributions from PSIRTS and security policy advocates have shaped these terms to accommodate different laws and languages based on geographical location.
-
Verticalized Terms: Tailored to specific industries or use-cases, these terms address unique challenges, such as those posed by critical infrastructure sectors.
-
Simple Safe Harbor: This template incorporates Safe Harbor language into existing VDPs and bug bounty programs, providing crucial legal protections for security testing.
-
Full Safe Harbor Requirements: The terms clearly outline what constitutes Full Safe Harbor, including protections against anti-hacking laws and good-faith acknowledgments essential for both researchers and organizations.
-
Coordinated Disclosure: The framework facilitates a structured process for researchers to share vulnerabilities safely and responsibly, promoting ethical practices in cybersecurity.
