disclose.io

disclose.io · a sourced history of the terms

The Archaeology of dioterms

Where the disclose.io safe-harbor terms actually came from — traced to the earliest internet-verifiable ancestor, with every claim anchored to a live archive.

Assembled 2026-05-31 Links re-checked 2026-07-05 Ground truth: git author-dates + Wayback timestamps Confidence-tagged throughout

Earliest provenance root of the dioterms lineage

2014-07-23

first commit of bugcrowd/disclosure-policy — hash 10ea3e1, “first commit,” authored by Chris Raethke (Bugcrowd’s founding CTO) at 23:02:41 −0700.

Precise framing. A “dioterm” is a disclose.io term, and disclose.io did not exist until 2018. The 2014 artifact is not itself a dioterm — it is the earliest internet-traceable ancestor that the dioterms are directly, repo-documentedly descended from. The claim is about provenance, not about the brand existing in 2014.

That repo’s own GitHub description draws the inheritance explicitly:

“Open Source Vulnerability Disclosure Framework. Maintained by Bugcrowd and Cipherlaw. Merged with github.com/disclose/dioterms.

The defining feature of dioterms — bilateral safe harbor — is already present in that very first 2014 file (responsible_disclosure_policy.md):

“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research…”

The dioterms language is therefore ~4 years older than the disclose.io brand it later fed into. Note this proves a Bugcrowd disclosure-policy repo existed in 2014 — it does not prove disclose.io was co-founded in 2014 (a separate, bio-sourced claim). Keep those two facts apart.

Why this date is HIGH

This is a falsifiable claim: it stands until an earlier Bugcrowd template, gist, or snapshot surfaces. The 2026-05-31 refutation hunt found nothing earlier in Bugcrowd’s repos.

Provenance at a glance

2000 RFPolicy — first template 2014 Bugcrowd framework — safe-harbor clause 2018 disclose.io — merges 3 predecessors 2020 dioterms repo — canonical terms '21–'24 safe harbor enters courts & EU law 2026 mission: safe, simple, standardized EARLIEST ROOT
From pre-2014 disclosure norms to the 2014 Bugcrowd root, the 2018 launch, and the terms in law by 2024.

The lineage chain

Solid lines mark documented inheritance — a repo states it merged something, so that something is a direct ancestor. Dashed lines mark conceptual antecedents: the same problem space, with no sourced derivation.

CONCEPTUAL ANTECEDENTS DOCUMENTED CHAIN 2000 · RFPolicy v1.1 disclosure template 2002 · IETF draft responsible disclosure 2014 · ISO/IEC 29147 vendor-side standard 2014 · Bugcrowd + CipherLaw goodwill safe harbor 2018 · Dropbox “authorized” under CFAA 2018 · Elazari #legalbugbounty standardized template 2018 · disclose.io merges the 3 2020 · dioterms canonical terms Solid = documented inheritance · dashed = conceptual antecedent (no sourced derivation)

The solid chain is sourced: disclose.io’s own 2018 launch page names the three tributaries it merged (Bugcrowd+CipherLaw’s 2014 framework, Elazari’s #legalbugbounty, Dropbox’s researcher-protection language), and bugcrowd/disclosure-policy’s description states it merged into disclose/dioterms. The 2000–2014 norms (RFPolicy, IETF draft, ISO 29147) are dashed: they shaped the problem space of standardized disclosure, but no document shows Bugcrowd’s framework deriving its text from them — antecedents, not parents.

TimelineEach entry: date, milestone, confidence, and source.

Platform pre-history — the crowdsourced-security market (the demand soil)

Pre-history — disclosure norms (the supply soil)

2014 — the earliest provenance root (Bugcrowd precursor, not yet a “dioterm”)

2017–2018 — the legal-safe-harbor idea crystallizes

2018 — disclose.io is born

2020 — the terms get a canonical home + the adoption engine

2021–2022 — the vision broadens

2021–2024 — the surrounding legal landscape (context, not dioterms lineage)

These are parallel developments, not descendants of the dioterms — the safe-harbor norm that disclose.io helped popularize turning up in courts and statutes. No textual derivation is claimed; they are here for context.

Mainstream adoption (one pre-org outlier, shown out of strict order)

Goal evolutionThe stated mission, quoted and dated.

WhenStated goal / mission (verbatim)Source
2014(implicit in the framework) “an open-source disclosure policy with legal safe harbor”bugcrowd/disclosure-policy
2018
(pre-pivot)
“Disclose.io is a community-maintained resource for vulnerability disclosure” — the Jan-2018 guidance site, before the terms-project pivot of Aug 2018Wayback 2018-01/08
2018
(launch)
“a collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research”Wayback 2018-08-02
2020“To drive vulnerability disclosure adoption through safety, simplicity, and standardizationWayback 2020-11-15
2022“a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a maturity model”Wayback 2022-07-14
2026“make vulnerability disclosure safe, simple, and standardized for everyone”Wayback 2026-06-04

The arc: a legal artifact (2014 safe-harbor template) → a community resource/directory (2018) → a standardization project with a maturity model (2020–22).

Where the language came fromSeven disclosure policies (2000–2022), compared by their actual text.

The safe-harbor clause, assembled across three organizations

The safe-harbor clause is the newest part of these policies. Three organizations built it, in order:

2014 · Bugcrowd — the goodwill promise, no statutes HIGH

“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research.”

2018 · Dropbox — where the legal magic word “authorized” enters (Mar 21, 2018), eight days before Elazari’s template repo, which credits it HIGH

“…we consider actions consistent with the policy as constituting ‘authorized’ conduct under the Computer Fraud and Abuse Act (CFAA)” · “a pledge that we won’t bring a Digital Millennium Copyright Act (DMCA) action…” · “…if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).”

2018 · Elazari #legalbugbounty — standardizes it into a reusable, statute-naming template HIGH

“…‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c).”

Its README credits the basis: “…the DOJ guidelines… and some leading policies like Dropbox.”

2020 · dioterms — the parameterized synthesis HIGH

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action… Authorized concerning any relevant anti-circumvention laws… Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)… Lawful, helpful… and conducted in good faith.”

Similarity is not provenance. This is concordance + chronology across the texts actually fetched — not a commit-level “who-typed-what” diff. The order is corroborated by disclose.io’s own “three tributaries” attribution (Bugcrowd framework + Elazari + Dropbox) and Elazari’s explicit Dropbox credit, but generic legalese and parallel drafting are not excluded.

Feature comparison

FeatureRFPolicy ’00IETF ’02ISO ’14Bugcrowd ’14Dropbox ’18Elazari ’18dioterms ’20
Disclosure window✅ 5d✅ 30d✅ 90d✅ param
Researcher conduct
Vendor commitments
Legal safe harbor❌ disclaims⚪ goodwill✅✅ CFAA/DMCA✅✅ +Cal 502✅ structured
Bilateral structure
Machine-readable✅ security.txt
Self-labelFull DisclosureResponsibleVuln disclosureResponsible Disc.VDPSafe HarborVDP / BBP

✅ present · ⚪ partial · ➖ clause-insert (not a whole policy) · ❌ absent · ❔ not retrievable (paywalled). Safe harbor is the last major feature to appear — ~17 years after the disclosure window.

The terminology arc

Full Disclosure (2000, completeness) → Responsible (2002, process) → Coordinated / CVD (2010–14, neutrality — CERT/CC: “responsible… is a matter of opinion… framed within the values of whoever is using the term”) → Safe Harbor (2017–18, legality). dioterms speaks all four dialects at once.

How the needs evolved

A disclosure policy started as a threat (“fix it or I publish”), became a protocol, then a brand-neutral standard, then a reusable contract, then a legal shield, and finally a machine-readable, government-mandated interface.

Confidence legend & honest caveats

HIGH = git commit hash, GitHub API field, RFC/directive, or verified Wayback snapshot.   MED = single/secondary source or non-day-precise date.

Caveats (carried forward, not hidden):

References & archivesEvery source re-checked 2026-07-05. A few (SSRN, iso.org, the Belgian CCB page) block bots but render in a browser; each is cited with a Wayback copy. Wayback snapshots are immutable.

GitHub — commits & repos (ground truth)

Web archives — Wayback Machine snapshots

Papers, standards, RFCs & directives

Predecessor policy texts (fetched verbatim for the lineage)

Primary social & press