disclose.io

disclose-archeology · sourced historical timeline

The Archaeology of dioterms

Where the disclose.io safe-harbor terms actually came from — traced to the earliest internet-verifiable ancestor, with every claim anchored to a live archive.

📅 Assembled 2026-05-31 🔗 Links re-checked 2026-06-21 🧬 Ground truth: git author-dates + Wayback timestamps ⚖️ Confidence-tagged throughout

🏆 Earliest provenance root of the dioterms lineage

2014-07-23

first commit of bugcrowd/disclosure-policy — hash 10ea3e1, “first commit,” authored by Chris Raethke (Bugcrowd’s founding CTO) at 23:02:41 −0700.

⚠️ Precise framing (matters). A “dioterm” is a disclose.io term, and disclose.io did not exist until 2018. The 2014 artifact is not itself a dioterm — it is the earliest internet-traceable ancestor that the dioterms are directly, repo-documentedly descended from. The claim is about provenance, not about the brand existing in 2014.

That repo’s own GitHub description draws the inheritance explicitly:

“Open Source Vulnerability Disclosure Framework. Maintained by Bugcrowd and Cipherlaw. Merged with github.com/disclose/dioterms.

And the defining feature of dioterms — bilateral safe harbor — is already present in that very first 2014 file (responsible_disclosure_policy.md):

“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research…”

So the dioterms language is ~4 years older than the disclose.io brand it later fed into. Note this proves a Bugcrowd disclosure-policy repo existed in 2014 — it does not prove disclose.io was co-founded in 2014 (a separate, bio-sourced claim). Keep those two facts apart.

Why this date is HIGH, not just one self-reported timestamp

This is a falsifiable claim: it stands until an earlier Bugcrowd template, gist, or snapshot surfaces. The 2026-05-31 refutation hunt found nothing earlier in Bugcrowd’s repos.

The shape of itA single image of the whole lineage, predecessors → dioterms.

Visual timeline of the dioterms lineage from 2000 to 2025
The Archaeology of dioterms — visual timeline (disclose.io palette).

🧬 The lineage chain

Solid arrows (──▶) = documented inheritance (a repo states it merged X; X is a direct ancestor). Dashed (╌╌▶) = conceptual antecedent only — same problem space, no sourced derivation.

  CONCEPTUAL ANTECEDENTS          DOCUMENTED-INHERITANCE CHAIN                  CONFLUENCE            CANONICAL HOME
  (no sourced derivation)
 ┌──────────────────┐
 │ 2000  RFPolicy v1│╌╌┐
 │  (Rain Forest    │  ╎
 │   Puppy)         │  ╎   ┌─────────────────────────────────┐
 └──────────────────┘  ╎ ╌▶│ 2014-07-23  Bugcrowd + CipherLaw │──┐  (repo: "Merged with disclose/dioterms")
 ┌──────────────────┐  ╎   │  "Open Source Vuln Disclosure   │  │
 │ 2002 IETF resp.  │╌╌┤   │   Framework" (disclosure-policy)│  │   ┌──────────────────┐   ┌─────────────────┐
 │  disclosure draft│  ╎   │  → bilateral safe-harbor clause │  ├──▶│ 2018-08-02       │──▶│ 2020-06-30      │
 ├──────────────────┤  ╎   └─────────────────────────────────┘  │   │ disclose.io      │   │ disclose/       │
 │ 2014-02 ISO 29147│╌╌┘                                         │   │ LAUNCHES         │   │ dioterms repo   │
 └──────────────────┘      ┌─────────────────────────────────┐  │   │ (Bugcrowd +      │   │ → generic-core- │
                           │ 2017-18  Amit Elazari            │  │   │  Elazari) merges │   │   terms.md      │
                           │  #LegalBugBounty / "Hacking the  │──┘   │  3 predecessors  │   │ (2020-07-15)    │
                           │  Law" safe-harbor scholarship    │      └──────────────────┘   └─────────────────┘
                           │  + Dropbox researcher protection │
                           └─────────────────────────────────┘

The solid chain is sourced: disclose.io’s own 2018 launch page names the three tributaries it merged (Bugcrowd+CipherLaw’s 2014 framework, Elazari’s #legalbugbounty, Dropbox’s researcher-protection language), and bugcrowd/disclosure-policy’s description states it merged into disclose/dioterms. The 2000–2014 norms (RFPolicy, IETF draft, ISO 29147) are dashed: they shaped the problem space of standardized disclosure, but no document shows Bugcrowd’s framework deriving its text from them — antecedents, not parents.

🗓️ Timelinedate — milestone (project goal/intent active then) — confidence — source.

Platform pre-history — the crowdsourced-security market (the demand soil)

Pre-history — disclosure norms (the supply soil)

2014 — the earliest provenance root (Bugcrowd precursor, not yet a “dioterm”)

2017–2018 — the legal-safe-harbor idea crystallizes

2018 — disclose.io is born

2020 — the terms get a canonical home + the adoption engine

2021–2022 — the vision broadens

Mainstream adoption (one pre-org outlier, shown out of strict order)

📈 Goal evolutionverbatim, dated — the safe-harbor clause is the invariant; the ambition around it kept widening.

WhenStated goal / mission (verbatim)Source
2014(implicit in the framework) “an open-source disclosure policy with legal safe harbor”bugcrowd/disclosure-policy
2018
(pre-pivot)
“Disclose.io is a community-maintained resource for vulnerability disclosure” — the Jan-2018 guidance site, before the terms-project pivot of Aug 2018Wayback 2018-01/08
2020“To drive vulnerability disclosure adoption through safety, simplicity, and standardizationWayback 2020-11-15
2022“a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a maturity model”Wayback 2022-07-14

The arc: a legal artifact (2014 safe-harbor template) → a community resource/directory (2018) → a standardization project with a maturity model (2020–22).

🧩 Where the language came fromSeven disclosure policies, 2000–2022, compared by their actual fetched text — how the clauses, and the needs behind them, evolved.

The safe-harbor clause, assembled across three organizations

The clause everyone now treats as the heart of the dioterms is the genre’s most recent organ — and it has three distinct authors. Traced verbatim:

2014 · Bugcrowd — the goodwill promise, no statutes HIGH

“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research.”

2018 · Dropbox — where the legal magic word “authorized” enters (Mar 21, 2018), eight days before Elazari’s template repo, which credits it HIGH

“…we consider actions consistent with the policy as constituting ‘authorized’ conduct under the Computer Fraud and Abuse Act (CFAA)” · “a pledge that we won’t bring a Digital Millennium Copyright Act (DMCA) action…” · “…if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).”

2018 · Elazari #legalbugbounty — standardizes it into a reusable, statute-naming template HIGH

“…‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c).”

Its README credits the basis: “…the DOJ guidelines… and some leading policies like Dropbox.”

2020 · dioterms — the parameterized synthesis HIGH

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action… Authorized concerning any relevant anti-circumvention laws… Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)… Lawful, helpful… and conducted in good faith.”

⚠ Similarity ≠ provenance. This is concordance + chronology across the texts actually fetched — not a commit-level “who-typed-what” diff. The order is corroborated by disclose.io’s own “three tributaries” attribution (Bugcrowd framework + Elazari + Dropbox) and Elazari’s explicit Dropbox credit, but generic legalese and parallel drafting are not excluded.

Feature comparison — the oldest feature is the clock, not the contract

FeatureRFPolicy ’00IETF ’02ISO ’14Bugcrowd ’14Dropbox ’18Elazari ’18dioterms ’20
Disclosure window✅ 5d✅ 30d✅ 90d✅ param
Researcher conduct
Vendor commitments
Legal safe harbor❌ disclaims⚪ goodwill✅✅ CFAA/DMCA✅✅ +Cal 502✅ structured
Bilateral structure
Machine-readable✅ security.txt
Self-labelFull DisclosureResponsibleVuln disclosureResponsible Disc.VDPSafe HarborVDP / BBP

✅ present · ⚪ partial · ➖ clause-insert (not a whole policy) · ❌ absent · ❔ not retrievable (paywalled). Safe harbor is the last major feature to appear — ~17 years after the disclosure window.

The terminology arc — accreting layers, not replacements

Full Disclosure (2000, completeness) → Responsible (2002, process) → Coordinated / CVD (2010–14, neutrality — CERT/CC: “responsible… is a matter of opinion… framed within the values of whoever is using the term”) → Safe Harbor (2017–18, legality). dioterms speaks all four dialects at once.

How the needs evolved — each layer answered a new fear

A disclosure policy started as a threat (“fix it or I publish”), became a protocol, then a brand-neutral standard, then a reusable contract, then a legal shield, and finally a machine-readable, government-mandated interface.

🔎 Confidence legend & honest caveats

HIGH = git commit hash, GitHub API field, RFC/directive, or verified Wayback snapshot.   MED = single/secondary source or non-day-precise date.

Caveats (carried forward, not hidden):

📚 References & archivesSources drawn from the project’s verified ledger. Re-checked 2026-06-21: GitHub commits/repos, standards, RFCs & directives all live (HTTP 200); SSRN 403s to bots (renders in-browser); the Bugcrowd launch-blog URL has 404’d since their rebrand (launch corroborated by the 2018-08-29 disclose.io snapshot); the Alex Rice (Bugcrowd-launched-first) tweet links directly to X, with a Wayback copy alongside (X blocks bot fetches; the tweet renders live in a browser). The six Wayback snapshots are immutable.

GitHub — commits & repos (ground truth)

Web archives — Wayback Machine snapshots

Papers, standards, RFCs & directives

Predecessor policy texts (fetched verbatim for the lineage)

Primary social & press

  • SRCAlex Rice (HackerOne co-founder/CTO) — the Bugcrowd-launched-first tweet: “Both founded 2012, @Bugcrowd launched first…” (live in browser; X blocks bot fetches)x.com/senorarroz/status/779402727885410304 · archived copy
  • SRCBugcrowd — “Introducing disclose.io” launch blog (2018-08-02) — ⚠ original URL now 404 (post-rebrand); not in Wayback. Launch corroborated by the 2018-08-29 disclose.io snapshot above + the diodb repo.www.bugcrowd.com/blog/introducing-disclose-io/
  • SRCU.S. DoD VDP / Hack the Pentagon (2016-11-21)hackerone.com/deptofdefense