disclose.io
MISSION DOCUMENT · FUNDING BRIEFING · JULY 2026

disclose.io

The infrastructure that powers vulnerability disclosure and security reporting — Internet-wide.

Casey Ellis · co-founder, disclose.io · founder, Bugcrowd

Prepared July 2026 · all product screenshots are live captures · state.disclose.io data

WHY THIS EXISTS

Good-faith security researchers still get lawyers instead of thank-yous.

  • Only 10 of the Fortune 100 offer researchers true legal safe harbor. ASX 100: six. FTSE 100: three. (state.disclose.io/top-100, June 2026 audit)
  • Legal threats against researchers are still routine — disclose.io maintains the public database of them (research-threats).
  • AI has multiplied both signal and noise — more findings, more reporters, more pressure on a disclosure model built for a smaller internet.
Every unreported vulnerability is a risk transferred to users. Disclosure infrastructure is public-interest infrastructure.
Live capture of the disclose.io research-threats archive

Live capture · 1 Jul 2026 · disclose.io/threats

THE INITIATIVE

Mission

Be the infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere.

Vision

A world where every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping.

PROVENANCE

We didn't join this movement. We started it.

Twelve years of provenance, verified commit-by-commit — the standardized safe harbor movement runs on rails this initiative laid.

Lineage evidence: git root-commit + Wayback corroboration, disclose-archeology (2026), every date source-anchored.

THE ECOSYSTEM

One mission, eleven public properties — built and run as open infrastructure.

27,583
ORGS & PROGRAMS TRACKED
11
LIVE PUBLIC PROPERTIES
10 + 6 + 3
F100 · ASX100 · FTSE100 WITH SAFE HARBOR
EST. 2018
OPEN SOURCE, VENDOR-NEUTRAL

Counts: state.disclose.io + June 2026 disclosure audits.

HOW IT FITS TOGETHER

One flywheel — already turning, held back by a single removable brake.

disclose.io open · vendor-neutral · the front door canonical language powers the tools every new program lands in the open dataset the dataset gets the world scored scores create pressure and signal the commons recruits the next adopters STANDARDS dioterms · dioseal dnssecuritytxt lawyer-approved language & records TOOLS policymaker · lookup · vault publish · find the contact · coordinate DATA directory / diodb the open system of record MEASUREMENT state.disclose.io · top-100 the public scoreboard COMMONS community · PolicyPulse · dates signal, norms, momentum lookup wired into CLI / Caido / Burp / MCP R1 · 27,583 orgs — the open data spine R2 · F100 / ASX100 / FTSE100 audits published R3 · weekly PolicyPulse · open forum B1 · THE BRAKE — 501(c)(3) determination pending · volunteer capacity
Funding releases the brake. The wheel is already turning.
THE ECOSYSTEM · FRONT DOOR

disclose.io — the front door

Mission: Be the front door that explains disclosure, safe harbor, and how to adopt best practice in minutes.

Vision: The default reference link anyone shares when asked "how do we do vulnerability disclosure right?"

→ routes to every property · home of research-threats & the platforms catalog

Live capture of the disclose.io main site front door

Live capture · 1 Jul 2026 · disclose.io

THE ECOSYSTEM · STANDARDS

dioterms / dioseal

Mission: Provide readable, lawyer-approved policy language and a visible badge for doing it right.

Vision: Safe harbor made viral — the seal recognized like a padlock icon for disclosure maturity.

→ templates power policymaker · seals verified by diosts scans of the directory

CC0, lawyer-reviewed

Open policy language and a visible seal for organizations that want to publish defensible safe harbor without starting from scratch.

github.com/disclose/dioterms

THE ECOSYSTEM · DRAFT

policymaker.disclose.io

Mission: Let any organization generate a solid VDP policy, security.txt, and DNS Security TXT without a lawyer.

Vision: The industry-standard generator behind most new safe-harbor policies published on the web.

← dioterms templates · → newly published programs land in the directory

Live capture of policymaker.disclose.io generating disclosure policy text

Live capture · 1 Jul 2026 · policymaker.disclose.io

THE ECOSYSTEM · STANDARDS

dnssecuritytxt

Mission: Standardize a DNS TXT record so security contact info is discoverable at the domain layer.

Vision: Adoption broad enough to reach IETF-track legitimacy and default tooling support.

→ a discovery source for lookup · generated by policymaker

Live capture of the dnssecuritytxt property and standard description

Live capture · 1 Jul 2026 · dnssecuritytxt

THE ECOSYSTEM · PUBLISH & ATTEST

directory.disclose.io / diodb

Mission: Maintain the open, accurate system of record for every VDP and bug bounty program.

Vision: The universally trusted open dataset every disclosure tool and platform builds on.

← policymaker & platform scrapers · → the data spine under lookup, audits, and downstream tools

Live capture of directory.disclose.io showing program records
Live capture of the open bug-bounty-platforms catalog

+ the open bug-bounty-platforms catalog

Live capture · 1 Jul 2026 · directory.disclose.io

THE ECOSYSTEM · FIND THE CONTACT

lookup.disclose.io

Mission: Give researchers instant, free answers to "who owns this asset and how do I report to them safely?"

Vision: The canonical, always-free lookup layer wired into every recon tool, agent, and MCP client researchers use.

← diodb + dnssecuritytxt · → CLI, Caido, Burp, hosted MCP · usage telemetry feeds data quality back

Live capture of lookup.disclose.io resolving an asset to disclosure contacts

Live capture · 1 Jul 2026 · lookup.disclose.io

THE ECOSYSTEM · COORDINATE

vault.disclose.io

Mission: Cryptographically-enforced coordinated disclosure — time-locked submissions, vendor escalation, auto-publication when timelines lapse.

Vision: Deadline enforcement researchers and vendors can both trust, with no human in the loop to pressure.

← lookup finds the contact · → outcomes inform community norms and the blog

Live capture of vault.disclose.io coordinated disclosure workflow

Live capture · 1 Jul 2026 · vault.disclose.io

THE ECOSYSTEM · MEASURE

state.disclose.io + /top-100

Mission: Measure and publish, with zero hallucinations, how well the world's biggest companies actually handle disclosure.

Vision: The scoreboard boards and regulators cite, making safe-harbor maturity a competitive metric.

← audits run over the directory corpus · → public pressure drives adoption through policymaker & dioterms

Live capture of state.disclose.io ecosystem metrics Live capture of the state.disclose.io top-100 audits

Live capture · 1 Jul 2026 · state.disclose.io

THE ECOSYSTEM · THE RECORD

disclose.io/threats

Mission: Maintain the canonical public archive of legal threats made against security researchers engaged in good-faith vulnerability disclosure.

Vision: The evidence base that makes the case for safe harbor undeniable — every incident recorded, sourced, and tracked to its outcome.

← incidents reported & verified via the community · → grounds the advocacy, the audits, and the legal-defense ecosystem

Live capture of the disclose.io Research Threats archive

Live capture · 1 Jul 2026 · disclose.io/threats

THE ECOSYSTEM · CONNECT

community.disclose.io

Mission: Give researchers and program owners a neutral home to ask, share, and shape disclosure practice.

Vision: The recognized cross-industry commons where disclosure norms are debated and settled.

← PolicyPulse signal & dates · → norms, contributions, and corrections flow back into standards and data

Live capture of community.disclose.io discussion spaces

Live capture · 1 Jul 2026 · community.disclose.io

THE ECOSYSTEM · STAY CURRENT

blog.disclose.io / PolicyPulse

Mission: Keep the ecosystem current on disclosure policy, legal shifts, and program changes every week.

Vision: The must-read policy signal for everyone working in or regulating vulnerability disclosure.

→ feeds the community & the shared calendar · ← disclosure outcomes from across the ecosystem

Live capture of blog.disclose.io and PolicyPulse updates

Live capture · 1 Jul 2026 · blog.disclose.io

THE ECOSYSTEM · SHARED CLOCK

dates.disclose.io

Mission: Put every disclosure-relevant deadline, comment window, and event into one subscribable calendar.

Vision: The shared clock of the disclosure ecosystem — nobody misses a comment period again.

← curated weekly alongside PolicyPulse · → keeps the community synchronized

Subscribable ICS — no UI by design

webcal://dates.disclose.io/upcoming-dates.ics

THE ECOSYSTEM · FOUNDATION

disclose.io, Inc. — the entity

Mission: Finish the Delaware nonprofit and secure 501(c)(3) so the initiative can take funding and endure.

Vision: A durable, funded, independent nonprofit steward for the disclosure commons.

→ the foundation layer: grants, contracts, insurance, and continuity for everything above

Status

Delaware nonprofit corporationINCORPORATED April 2021
Federal EINISSUED April 2021
Restated certificate & bylawsDRAFTED (Venable LLP), awaiting adoption
IRS Form 1023PREPARED PATH, filing follows adoption
501(c)(3) determinationPENDING
OPERATING DISCIPLINE

We hold ourselves to the same standard we hold the Fortune 100.

Methodology: disclose.io mission/vision/metrics doctrine, v2 (tiger-teamed), July 2026.

THE ASK

Everything above the line is live. Funding removes the one constraint under it.

The flywheel already spins on volunteer capacity. Sponsorship converts it from a labor of love into durable public infrastructure.

Workstream What it buys What it unlocks Amount
Complete the legal foundation Counsel fees, state & IRS filings, D&O insurance Tax-exempt status → grants, fiscal durability, independent governance $ — set by board
Instrumentation & data freshness Automated re-validation of the directory, adoption telemetry, public metrics Trustworthy open data every downstream tool inherits $ — set by board
Sustainability A second maintainer per critical property, documented runbooks, infrastructure Bus-factor ≥ 2 — the commons outlives any one volunteer $ — set by board
Candor note: disclose.io, Inc. is a Delaware nonprofit; its 501(c)(3) determination is PENDING. Contributions are not yet tax-deductible. Until determination, support is structured as sponsorship or pledges; a fiscal-sponsor route can be arranged for grantmakers that require deductibility.
What B1 throttles: data freshness (R1), audit cadence (R2), and volunteer time (R3). Remove it, and all three loops accelerate.
THE INVITATION

A world where every organization welcomes good-faith security research under safe harbor — and no researcher risks legal harm for helping.

Help us finish the foundation.

casey@disclose.io

disclose.io · policymaker · directory · lookup · vault · community · blog · state · dates · dnssecuritytxt · dioterms

← → / space to move · F fullscreen · ⌘P to PDF
01 / 20