The infrastructure that powers vulnerability disclosure and security reporting — Internet-wide.
Prepared July 2026 · all product screenshots are live captures · state.disclose.io data
Live capture · 1 Jul 2026 · disclose.io/threats
Be the infrastructure that powers vulnerability disclosure and security reporting, Internet-wide — safe, simple, and standardized for researchers and organizations everywhere.
A world where every organization welcomes good-faith security research under safe harbor, and no researcher risks legal harm for helping.
Lineage evidence: git root-commit + Wayback corroboration, disclose-archeology (2026), every date source-anchored.
Counts: state.disclose.io + June 2026 disclosure audits.
Mission: Be the front door that explains disclosure, safe harbor, and how to adopt best practice in minutes.
Vision: The default reference link anyone shares when asked "how do we do vulnerability disclosure right?"
→ routes to every property · home of research-threats & the platforms catalog
Live capture · 1 Jul 2026 · disclose.io
Mission: Provide readable, lawyer-approved policy language and a visible badge for doing it right.
Vision: Safe harbor made viral — the seal recognized like a padlock icon for disclosure maturity.
→ templates power policymaker · seals verified by diosts scans of the directory
Open policy language and a visible seal for organizations that want to publish defensible safe harbor without starting from scratch.
github.com/disclose/dioterms
Mission: Let any organization generate a solid VDP policy, security.txt, and DNS Security TXT without a lawyer.
Vision: The industry-standard generator behind most new safe-harbor policies published on the web.
← dioterms templates · → newly published programs land in the directory
Live capture · 1 Jul 2026 · policymaker.disclose.io
Mission: Standardize a DNS TXT record so security contact info is discoverable at the domain layer.
Vision: Adoption broad enough to reach IETF-track legitimacy and default tooling support.
→ a discovery source for lookup · generated by policymaker
Live capture · 1 Jul 2026 · dnssecuritytxt
Mission: Maintain the open, accurate system of record for every VDP and bug bounty program.
Vision: The universally trusted open dataset every disclosure tool and platform builds on.
← policymaker & platform scrapers · → the data spine under lookup, audits, and downstream tools
+ the open bug-bounty-platforms catalog
Live capture · 1 Jul 2026 · directory.disclose.io
Mission: Give researchers instant, free answers to "who owns this asset and how do I report to them safely?"
Vision: The canonical, always-free lookup layer wired into every recon tool, agent, and MCP client researchers use.
← diodb + dnssecuritytxt · → CLI, Caido, Burp, hosted MCP · usage telemetry feeds data quality back
Live capture · 1 Jul 2026 · lookup.disclose.io
Mission: Cryptographically-enforced coordinated disclosure — time-locked submissions, vendor escalation, auto-publication when timelines lapse.
Vision: Deadline enforcement researchers and vendors can both trust, with no human in the loop to pressure.
← lookup finds the contact · → outcomes inform community norms and the blog
Live capture · 1 Jul 2026 · vault.disclose.io
Mission: Measure and publish, with zero hallucinations, how well the world's biggest companies actually handle disclosure.
Vision: The scoreboard boards and regulators cite, making safe-harbor maturity a competitive metric.
← audits run over the directory corpus · → public pressure drives adoption through policymaker & dioterms
Live capture · 1 Jul 2026 · state.disclose.io
Mission: Maintain the canonical public archive of legal threats made against security researchers engaged in good-faith vulnerability disclosure.
Vision: The evidence base that makes the case for safe harbor undeniable — every incident recorded, sourced, and tracked to its outcome.
← incidents reported & verified via the community · → grounds the advocacy, the audits, and the legal-defense ecosystem
Live capture · 1 Jul 2026 · disclose.io/threats
Mission: Give researchers and program owners a neutral home to ask, share, and shape disclosure practice.
Vision: The recognized cross-industry commons where disclosure norms are debated and settled.
← PolicyPulse signal & dates · → norms, contributions, and corrections flow back into standards and data
Live capture · 1 Jul 2026 · community.disclose.io
Mission: Keep the ecosystem current on disclosure policy, legal shifts, and program changes every week.
Vision: The must-read policy signal for everyone working in or regulating vulnerability disclosure.
→ feeds the community & the shared calendar · ← disclosure outcomes from across the ecosystem
Live capture · 1 Jul 2026 · blog.disclose.io
Mission: Put every disclosure-relevant deadline, comment window, and event into one subscribable calendar.
Vision: The shared clock of the disclosure ecosystem — nobody misses a comment period again.
← curated weekly alongside PolicyPulse · → keeps the community synchronized
webcal://dates.disclose.io/upcoming-dates.ics
Mission: Finish the Delaware nonprofit and secure 501(c)(3) so the initiative can take funding and endure.
Vision: A durable, funded, independent nonprofit steward for the disclosure commons.
→ the foundation layer: grants, contracts, insurance, and continuity for everything above
| Delaware nonprofit corporation | INCORPORATED April 2021 |
| Federal EIN | ISSUED April 2021 |
| Restated certificate & bylaws | DRAFTED (Venable LLP), awaiting adoption |
| IRS Form 1023 | PREPARED PATH, filing follows adoption |
| 501(c)(3) determination | PENDING |
Methodology: disclose.io mission/vision/metrics doctrine, v2 (tiger-teamed), July 2026.
The flywheel already spins on volunteer capacity. Sponsorship converts it from a labor of love into durable public infrastructure.
| Workstream | What it buys | What it unlocks | Amount |
|---|---|---|---|
| Complete the legal foundation | Counsel fees, state & IRS filings, D&O insurance | Tax-exempt status → grants, fiscal durability, independent governance | $ — set by board |
| Instrumentation & data freshness | Automated re-validation of the directory, adoption telemetry, public metrics | Trustworthy open data every downstream tool inherits | $ — set by board |
| Sustainability | A second maintainer per critical property, documented runbooks, infrastructure | Bus-factor ≥ 2 — the commons outlives any one volunteer | $ — set by board |
Help us finish the foundation.
disclose.io · policymaker · directory · lookup · vault · community · blog · state · dates · dnssecuritytxt · dioterms