Introducing the disclose.io Policymaker!
A free, open-source, multi-lingual, template-based VDP policy, safe harbor clause, securitytxt, and DNS Security TXT generator.
Who is this for?
Policymaker is a "one-stop-shop" policy generator for anyone launching a vulnerability disclosure program (VDP) for the first time, looking to update their VDP policy, or wanting to add features to an existing program.
Once completed, Policymaker will provide you with:
A full vulnerability disclosure program policy (for new or replacement VDPs),
A safe harbor clause (for insertion into an existing VDP)
security.txt files, and
DNS Security TXT records.
How does it work?
It's as easy as 1-2-3...
Policymaker will ask you a few questions about your organization's name, security contact channels, preferred policy deployment page, and, if you have one, your vulnerability disclosure timeline.
The tool will use the disclose.io standardized policy repository (created and maintained by industry experts, lawyers, and legal teams of large organizations that run VDPs) to create a policy just for you.
Download the policy in HTML or Markdown, as well as RFC-compliant security.txt and DNS Security TXT records.
This is the crucial part... We've worked hard to make creating these artifacts simple and standardized - the power comes when you put them to work!
Publish your VDP on a web page on your main website, or through a VDP platform provider such as Bugcrowd, HackerOne, or Intigriti, and deploy the security.txt file in a directory on the servers and systems covered by the VDP, as well as the DNS Security TXT records into the DNS zone for domains covered by the VDP.
Each artifact comes with instructions, which you can pass on to the appropriate teams within your organization to implement and legal teams for review.
Your domain will be added to a list of domains scanned for updates into the Disclose.io Contact Database, and your new VDP will appear in our records once the security.txt is implemented.
After reviewing your published policy, a disclose.io maintainer will mark your VDP as Level 4 - Full Safe Harbor or Level 5 - Full Safe Harbor with CVD in the Disclose.io Status Database, and you will be able to display the appropriate Disclose.io Maturity Seal on your website.
Note: While we've engaged the legal opinion of many, the policy output of Policymaker does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization.
What will I require?
The legal name of your organization.
The contact channels through which you intend to receive security reports. It is acceptable to use web forms and email addresses, or a combination of the two.
The location where you intend to host your VDP policy. You can change this later if necessary.
(Optional): A timetable for coordinated vulnerability disclosure (CVD). If you don't know what this is, you'll be given a sane default and the option to opt-out.
This is awesome! How can I contribute?
Glad you asked! There are a couple of ways to help:
Spread the word! If an organization is missing a VDP, their VDP terms are missing safe harbor, or they are missing a security.txt or DNS Security TXT record, point them this way for free, community-powered help in getting set up.
Help us translate! The primary templates for policymaker are written in en-US and can be found here: https://github.com/disclose/policymaker/tree/main/templates. The Arabic translation is complete, and we’re looking for Hindi, German, Russian, Spanish, and en-GB. Drop an issue in the Github repo if this is something you’d like to be involved with!