Earliest provenance root of the dioterms lineage
first commit of bugcrowd/disclosure-policy — hash 10ea3e1, “first commit,” authored by Chris Raethke (Bugcrowd’s founding CTO) at 23:02:41 −0700.
That repo’s own GitHub description draws the inheritance explicitly:
“Open Source Vulnerability Disclosure Framework. Maintained by Bugcrowd and Cipherlaw. Merged with github.com/disclose/dioterms.”
The defining feature of dioterms — bilateral safe harbor — is already present in that very first 2014 file (responsible_disclosure_policy.md):
“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research…”
The dioterms language is therefore ~4 years older than the disclose.io brand it later fed into. Note this proves a Bugcrowd disclosure-policy repo existed in 2014 — it does not prove disclose.io was co-founded in 2014 (a separate, bio-sourced claim). Keep those two facts apart.
Why this date is HIGH
- Author date == committer date (
2014-07-23 23:02:41 −0700) — no rebase/backdate divergence. - Root commit —
rev-list --parentsshows no parent → a genuine initial commit, not a migrated history. - Clean initial commit — 3 files / 105 insertions (one policy + one guide + README), not a bulk import that would make the date suspect.
- Independent corroboration — the Wayback Machine captured the live repo on 2014-10-16 (HTTP 200) and 2015-03-17, ~3 months after the commit. Git and Wayback agree.
This is a falsifiable claim: it stands until an earlier Bugcrowd template, gist, or snapshot surfaces. The 2026-05-31 refutation hunt found nothing earlier in Bugcrowd’s repos.
Provenance at a glance
The lineage chain
Solid lines mark documented inheritance — a repo states it merged something, so that something is a direct ancestor. Dashed lines mark conceptual antecedents: the same problem space, with no sourced derivation.
The solid chain is sourced: disclose.io’s own 2018 launch page names the three tributaries it merged (Bugcrowd+CipherLaw’s 2014 framework, Elazari’s #legalbugbounty, Dropbox’s researcher-protection language), and bugcrowd/disclosure-policy’s description states it merged into disclose/dioterms. The 2000–2014 norms (RFPolicy, IETF draft, ISO 29147) are dashed: they shaped the problem space of standardized disclosure, but no document shows Bugcrowd’s framework deriving its text from them — antecedents, not parents.
TimelineEach entry: date, milestone, confidence, and source.
Platform pre-history — the crowdsourced-security market (the demand soil)
- 2012
Bugcrowd & HackerOne both founded; Bugcrowd launched first. Per HackerOne co-founder/CTO Alex Rice, on record: “Both founded 2012, @Bugcrowd launched first! @Hacker0x01 kickoff 2/2012, 1st commit 4/2012, 1st private 1/2013, 1st public 10/2013.” HIGHCrowdsourced security as a service put researchers and orgs into at-scale engagement — exactly what made standardized safe-harbor terms necessary by 2014.
- 2013-03-05
Bugcrowd’s “The List” — earliest Wayback capture of a community-maintained public directory of bug-bounty programs (“Last update: 2nd March 2013”). A functional antecedent of
diodb(2018) on the directory axis — conceptual only, no documented derivation. MED
Pre-history — disclosure norms (the supply soil)
- 2000-08-19
RFPolicy v1.1 (Rain Forest Puppy) live on wiretrip.net — first formalized vulnerability-disclosure policy template; v2.0 (“5 working days”) followed, bracketed by Wayback snapshots. HIGHGoal: give researchers a repeatable, fair disclosure process.
- 2002-02-15
IETF draft “Responsible Vulnerability Disclosure Process” (Christey/MITRE + Wysopal/@stake), rev 00. HIGHGoal: standardize “responsible disclosure” terminology.
- 2010-07-22
Microsoft (MSRC) reframes “Responsible Disclosure” → “Coordinated Vulnerability Disclosure.” The neutrality pivot between “responsible” (2002) and the ISO-era vocabulary. HIGHGoal: strip the moral judgment out of the terminology.
- 2013-11
ISO/IEC 30111 first edition (vulnerability handling processes) — the vendor-internal handling standard, published ~3 months before its better-known sibling ISO/IEC 29147. HIGH
- 2014-02
ISO/IEC 29147 first edition (vulnerability disclosure). MEDGoal: a formal international standard.
2014 — the earliest provenance root (Bugcrowd precursor, not yet a “dioterm”)
- 2014-03-31
Bugcrowd “Standard Disclosure Terms” — platform-wide terms for its programs (in-page changelog: “Initial Release”), carrying researcher-protection intent (“the more closely your behavior follows these rules, the more we’ll be able to protect you”) but no legal safe-harbor clause. An earlier Bugcrowd terms artifact — not the provenance root. HIGH capture / MED release-dayWayback-verified 2014-04-11; the changelog claims a 2014-03-31 initial release.
- 2014-07-15
Google announces Project Zero — 8 days before the root commit; its 90-day disclosure deadline (+14-day grace) is formalized 2015-02-13. The July-2014 disclosure-norms fortnight; conceptual antecedent (dashed). HIGH
- 2014-07-23
bugcrowd/disclosure-policyfirst commit (10ea3e1, Chris Raethke). Files:responsible_disclosure_policy.md,setting_up_a_responsible_disclosure_program.md. HIGHGoal: an open-source, copy-pasteable disclosure framework with built-in legal safe harbor for researchers. - 2014-07-24
Launch press (~15h after the commit): PRNewswire “Bugcrowd Releases Open Source Responsible Disclosure Framework” + Threatpost, both pointing at the repo and quoting CipherLaw’s Jim Denaro (“…researchers… are not discouraged from reporting… because of the legal risks”). The git + Wayback + press triangle, closed. HIGH
- 2014-10-16
Earliest Wayback capture of the Bugcrowd framework repo (HTTP 200). HIGH
2017–2018 — the legal-safe-harbor idea crystallizes
- 2017
Amit Elazari’s safe-harbor scholarship begins (DEF CON Skytalks / BSidesLV, unrecorded). MEDGoal: make legal safe harbor a standardized norm, not a per-program favor.
- 2017-07
U.S. DOJ Criminal Division publishes “A Framework for a Vulnerability Disclosure Program for Online Systems,” v1.0 — prosecutorial guidance for designing VDPs that reduce researcher legal risk. Elazari’s template README credits it. HIGH
- 2017-08
CERT/CC publishes The CERT Guide to Coordinated Vulnerability Disclosure (CMU/SEI-2017-SR-022) — the canonical CVD handbook. HIGH
- 2018-01
Enigma 2018 talk “Hacking the Law: Are Bug Bounties a True Safe Harbor?” HIGH
- 2018-03-21
Dropbox — “Protecting Security Researchers”: the first “‘authorized’ conduct under the CFAA” + DMCA-waiver safe-harbor language in this corpus. HIGH
- 2018-03-29
EdOverflow/legal-bug-bountytemplates repo created (README credits Dropbox). HIGH - 2018-04-12
SSRN paper “Private Ordering Shaping Cybersecurity Policy: The Case of Bug Bounties” (SSRN ID
3161758— no DOI; cite the ID). HIGH
2018 — disclose.io is born
- 2018-05-16
disclose/diodbfirst commit (0158e3b) — oldest repo in the disclose org. HIGH - 2018-08-02
disclose.io launches (Bugcrowd + Amit Elazari), explicitly merging the three predecessors. HIGHGoal (2018 launch-day, verbatim): “a collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research.”
- 2018-08-02
The launch-day Wayback capture already shows the full terms project: “Read the core terms,” all three tributaries named, and “so our hacker friends don’t go to jail.” (Corrects an earlier “first terms capture = 2018-08-29”.) HIGH
- 2018-10
ISO/IEC 29147 second edition published (the 2014 first edition withdrawn/superseded) — two months after disclose.io’s launch; the standards track and the safe-harbor track converge on the same year. HIGH
- 2018-12-07
diodb’s first real program list: 426 organizations (
698675f). HIGHGoal: track who has adopted safe-harbor terms.
2020 — the terms get a canonical home + the adoption engine
- 2020-06-30
disclose/diotermsrepo first commit (851a906). HIGH - 2020-07-15
First canonical terms text in the disclose org (
be213be,generic-core-terms.md) with an explicit “Safe Harbor” section. HIGH - 2020-08-12
disclose/diosts(Go security.txt scraper) created — the future adoption engine. HIGH - 2020-09-02
CISA BOD 20-01 finalized: every U.S. federal civilian agency must publish a VDP. HIGH
- 2020-11-15
Wayback captures the actual dioterms text + the 2020 mission, verbatim: “To drive vulnerability disclosure adoption through safety, simplicity, and standardization.” HIGH
- 2020-11-16
Adoption inflection: the
diostsbot auto-imports security.txt-discovered programs, jumping diodb 981 → 3,524 entries in one commit (aee74f1). The spike is automation riding CISA BOD 20-01, not a conference. HIGH
2021–2022 — the vision broadens
- 2021
Supporting-standards repos spin out:
dnssecuritytxt(2021-03),policymaker(2021-07). HIGHGoal expands toward an ecosystem. - 2021-04-11
dioterms licensed CC0-1.0 (public domain): LICENSE added in
365c5f8— the terms become genuinely reusable public infrastructure. HIGHGoal: remove every reuse barrier. - 2022-04-27
RFC 9116 (security.txt) published; co-author EdOverflow was an early diodb contributor — the two efforts are intertwined. HIGH
- 2022-07-14
Wayback captures the 2022 mission, verbatim: “a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a straightforward maturity model.” HIGH
2021–2024 — the surrounding legal landscape (context, not dioterms lineage)
These are parallel developments, not descendants of the dioterms — the safe-harbor norm that disclose.io helped popularize turning up in courts and statutes. No textual derivation is claimed; they are here for context.
- 2021-06-03
Van Buren v. United States (SCOTUS, No. 19-783) narrows the CFAA’s “exceeds authorized access,” reducing — though expressly not settling — the exposure the safe-harbor clause exists to waive (the Court left the researcher question open). HIGH
- 2022-05-19
DOJ revises its CFAA charging policy to “for the first time direct that good-faith security research should not be charged” — the prosecution side adopts the same good-faith norm the private templates had been advancing. HIGH
- 2022-11-16
HackerOne “Gold Standard Safe Harbor” — “a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt” (early adopters: GitLab, KAYAK, Yahoo). A descendant of the standardization idea — it does not cite disclose.io. HIGH
- 2022-12-27
EU NIS2 (Directive (EU) 2022/2555) published; Article 12 (“Coordinated vulnerability disclosure”) requires every Member State to adopt a national CVD policy — the CISA-BOD-20-01 pattern, at EU scale. HIGH
- 2023-02-15
Belgium — among the first EU nations with a broad statutory safe harbor for good-faith research (France’s 2016 Digital Republic Act carried a narrower report-to-ANSSI immunity earlier): the CCB framework “allows any natural or legal person, acting without fraudulent or malicious intent, to investigate and report existing vulnerabilities in… systems located in Belgium.” HIGH
- 2024-12-10
EU Cyber Resilience Act (Reg. (EU) 2024/2847) enters into force — manufacturers of products with digital elements must have “a policy on coordinated vulnerability disclosure” — the CVD norm now surfacing as a market-access requirement. HIGH
Mainstream adoption (one pre-org outlier, shown out of strict order)
- 2016-11-21
U.S. DoD VDP goes always-on (“Hack the Pentagon” was the earlier spring-2016 pilot). HIGHThe largest adopter that predates disclose.io itself — placed here because it belongs to the adoption story, not the founding chronology. NOT evidence the org existed in 2016.
- 2023→2025
Target 2023-11-03 (
f71528c) · Dell 2024-03-10 (ddf2f8e) · a16z 2024-09-28 (6f5b57d) · SIX Group 2025-07-20 (0e8e445) — each dated by the diodb commit that added it. HIGH - 2026
The rebuilt disclose.io site restates the mission as “make vulnerability disclosure safe, simple, and standardized for everyone” — the 2020 triad, now addressed to “everyone” with five persona on-ramps. HIGH
- by 2026-06-03
directory.disclose.io— the hosted diodb front-end (“Search vulnerability disclosure and bug bounty programs”) — first Wayback-captured. The capture is an upper bound, not a launch date. MED
Goal evolutionThe stated mission, quoted and dated.
| When | Stated goal / mission (verbatim) | Source |
|---|---|---|
| 2014 | (implicit in the framework) “an open-source disclosure policy with legal safe harbor” | bugcrowd/disclosure-policy |
| 2018 (pre-pivot) | “Disclose.io is a community-maintained resource for vulnerability disclosure” — the Jan-2018 guidance site, before the terms-project pivot of Aug 2018 | Wayback 2018-01/08 |
| 2018 (launch) | “a collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research” | Wayback 2018-08-02 |
| 2020 | “To drive vulnerability disclosure adoption through safety, simplicity, and standardization” | Wayback 2020-11-15 |
| 2022 | “a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a maturity model” | Wayback 2022-07-14 |
| 2026 | “make vulnerability disclosure safe, simple, and standardized for everyone” | Wayback 2026-06-04 |
The arc: a legal artifact (2014 safe-harbor template) → a community resource/directory (2018) → a standardization project with a maturity model (2020–22).
Where the language came fromSeven disclosure policies (2000–2022), compared by their actual text.
The safe-harbor clause, assembled across three organizations
The safe-harbor clause is the newest part of these policies. Three organizations built it, in order:
2014 · Bugcrowd — the goodwill promise, no statutes HIGH
“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research.”
2018 · Dropbox — where the legal magic word “authorized” enters (Mar 21, 2018), eight days before Elazari’s template repo, which credits it HIGH
“…we consider actions consistent with the policy as constituting ‘authorized’ conduct under the Computer Fraud and Abuse Act (CFAA)” · “a pledge that we won’t bring a Digital Millennium Copyright Act (DMCA) action…” · “…if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).”
2018 · Elazari #legalbugbounty — standardizes it into a reusable, statute-naming template HIGH
“…‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c).”
Its README credits the basis: “…the DOJ guidelines… and some leading policies like Dropbox.”
2020 · dioterms — the parameterized synthesis HIGH
“Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action… Authorized concerning any relevant anti-circumvention laws… Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)… Lawful, helpful… and conducted in good faith.”
Similarity is not provenance. This is concordance + chronology across the texts actually fetched — not a commit-level “who-typed-what” diff. The order is corroborated by disclose.io’s own “three tributaries” attribution (Bugcrowd framework + Elazari + Dropbox) and Elazari’s explicit Dropbox credit, but generic legalese and parallel drafting are not excluded.
Feature comparison
| Feature | RFPolicy ’00 | IETF ’02 | ISO ’14 | Bugcrowd ’14 | Dropbox ’18 | Elazari ’18 | dioterms ’20 |
|---|---|---|---|---|---|---|---|
| Disclosure window | ✅ 5d | ✅ 30d | ❔ | ✅ 90d | ⚪ | ➖ | ✅ param |
| Researcher conduct | ✅ | ✅ | ❌ | ✅ | ✅ | ➖ | ✅ |
| Vendor commitments | ⚪ | ✅ | ✅ | ✅ | ✅ | ➖ | ✅ |
| Legal safe harbor | ❌ disclaims | ❌ | ❌ | ⚪ goodwill | ✅✅ CFAA/DMCA | ✅✅ +Cal 502 | ✅ structured |
| Bilateral structure | ❌ | ⚪ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Machine-readable | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ security.txt |
| Self-label | Full Disclosure | Responsible | Vuln disclosure | Responsible Disc. | VDP | Safe Harbor | VDP / BBP |
✅ present · ⚪ partial · ➖ clause-insert (not a whole policy) · ❌ absent · ❔ not retrievable (paywalled). Safe harbor is the last major feature to appear — ~17 years after the disclosure window.
The terminology arc
Full Disclosure (2000, completeness) → Responsible (2002, process) → Coordinated / CVD (2010–14, neutrality — CERT/CC: “responsible… is a matter of opinion… framed within the values of whoever is using the term”) → Safe Harbor (2017–18, legality). dioterms speaks all four dialects at once.
How the needs evolved
- 2000 — vendor stonewalling → a deadline (RFPolicy’s “5 days, then I publish”; it deliberately disclaims legal force).
- 2002 — multi-party chaos → roles + process (the Reporter / Vendor / Coordinator triad).
- 2010–14 — “responsible” weaponized → neutral terminology (CVD) + a vendor-side standard (ISO 29147).
- 2014 — every program reinvents the policy → a reusable, bilateral template (Bugcrowd).
- 2017–18 — researchers prosecuted under the CFAA / DMCA → a legally-operative safe harbor (Dropbox ships it; Elazari standardizes it).
- 2020–22 — adoption at scale, machine discovery, government mandate → parameterized, machine-readable terms (dioterms, security.txt, CISA BOD 20-01).
A disclosure policy started as a threat (“fix it or I publish”), became a protocol, then a brand-neutral standard, then a reusable contract, then a legal shield, and finally a machine-readable, government-mandated interface.
Confidence legend & honest caveats
HIGH = git commit hash, GitHub API field, RFC/directive, or verified Wayback snapshot. MED = single/secondary source or non-day-precise date.
Caveats (carried forward, not hidden):
- The often-cited “DEF CON 26 Legal Bug Bounty talk” could not be confirmed as a titled DEF CON 26 main-stage talk — likely a conflation with 2017 Skytalks (unrecorded).
- The SSRN paper has no DOI — cite SSRN ID
3161758. Its page bot-blockscurl(403) but renders live in a browser. - ISO 29147’s first-edition day isn’t shown on iso.org; the 2014 edition year is confirmed.
- ~2-year gap between “terms provably existed on disclose.io” (2018-08) and “terms text is archived word-for-word” (2020-11) — Wayback never grabbed the original
core_termsfile, only the repo’s tree listing. - An earlier Bugcrowd terms artifact exists — but it isn’t the root. Bugcrowd’s “Standard Disclosure Terms” (2014-03) carries researcher-protection intent but no safe-harbor legal clause, and no documented derivation into dioterms. The falsifiable claim is specifically about the earliest safe-harbor template; that still resolves to 2014-07-23.
- Earliest-found is not earliest-that-exists. Git archaeology establishes the earliest commit located in this search — not proof that no earlier artifact could ever surface. The 2014-07-23 headline is a falsifiable conjecture, retestable as GitHub/Wayback indexes grow.
References & archivesEvery source re-checked 2026-07-05. A few (SSRN, iso.org, the Belgian CCB page) block bots but render in a browser; each is cited with a Wayback copy. Wayback snapshots are immutable.
GitHub — commits & repos (ground truth)
- GITbugcrowd/disclosure-policy — first commit
10ea3e1(2014-07-23, Chris Raethke)github.com/bugcrowd/disclosure-policy/commit/10ea3e1… - GITbugcrowd/disclosure-policy — repo (“Merged with disclose/dioterms”)github.com/bugcrowd/disclosure-policy
- GITTerminology rename responsible→vulnerability disclosure — commit
cc83616(2018-04-04)github.com/bugcrowd/disclosure-policy/commit/cc83616 - GITdisclose/diodb — oldest repo in the disclose org (first commit
0158e3b, 2018-05-16)github.com/disclose/diodb - GITdisclose/dioterms — terms’ canonical repo (first commit
851a906, 2020-06-30)github.com/disclose/dioterms - GITdisclose/diosts — Go security.txt scraper that drove the 2020 adoption spikegithub.com/disclose/diosts
- GITEdOverflow/legal-bug-bounty — safe-harbor templates repo (2018-03-29)github.com/EdOverflow/legal-bug-bounty
Web archives — Wayback Machine snapshots
- WBbugcrowd/disclosure-policy — repo captures (2014-10-16, 2015-03-17) corroborating the 2014 commitweb.archive.org/web/2014*/github.com/bugcrowd/disclosure-policy
- WBdisclose.io — earliest snapshot (2016-10-02, 301 redirect; brand registered by 2016)web.archive.org/web/20161002234519/disclose.io
- WBdisclose.io — first HTTP 200 snapshot, first live content (2018-01-18)web.archive.org/web/20180118045058/disclose.io
- WBdisclose.io — full terms project on launch day (2018-08-02: “core terms”, three tributaries, “go to jail”)web.archive.org/web/20180802132142/disclose.io
- WBBugcrowd “Standard Disclosure Terms” — earlier terms artifact, no safe-harbor clause (capture 2014-04-11)web.archive.org/web/20140411213116/blog.bugcrowd.com/standard-disclosure-terms
- WBBugcrowd “The List” — bug-bounty directory antecedent of diodb (capture 2013-03-05)web.archive.org/web/20130305011641/bugcrowd.com/list-of-bug-bounty-programs
- WBMicrosoft MSRC — “Announcing Coordinated Vulnerability Disclosure” (2010-07-22)web.archive.org/web/20100724135757/…/announcing-coordinated-vulnerability-disclosure
- WBBelgium CCB — national safe-harbor framework, effective 2023-02-15web.archive.org/web/20230215171904/ccb.belgium.be/en/vulnerability-reporting-ccb
- WBdisclose.io — 2026 mission, verbatim (2026-06-04)web.archive.org/web/20260604052740/disclose.io
- WBdioterms text + 2020 mission, verbatim (2020-11-15)web.archive.org/web/20201115224220/…/dioterms/generic-core-terms.md
- WBdisclose.io — 2022 mission, verbatim (2022-07-14)web.archive.org/web/20220714165017/disclose.io
Papers, standards, RFCs & directives
- DOCElazari — Enigma 2018: “Hacking the Law: Are Bug Bounties a True Safe Harbor?”usenix.org/conference/enigma2018/presentation/elazari
- DOCElazari — SSRN “Private Ordering Shaping Cybersecurity Policy” (ID 3161758, no DOI) — 403 to bots; renders in browserpapers.ssrn.com/sol3/papers.cfm?abstract_id=3161758
- DOCRFPolicy v1 (Rain Forest Puppy) — earliest formalized disclosure-policy templateen.wikipedia.org/wiki/RFPolicy
- DOCIETF “Responsible Disclosure Process” draft (Christey/Wysopal)datatracker.ietf.org/doc/html/draft-christey-wysopal-vuln-disclosure-00
- DOCISO/IEC 29147 — vulnerability disclosure standard (first ed. 2014)iso.org/standard/45170.html
- DOCCISA BOD 20-01 — U.S. federal VDP mandate (2020-09-02)cisa.gov/…/bod-20-01-develop-and-publish-vulnerability-disclosure-policy
- DOCRFC 9116 — security.txt (2022-04-27)rfc-editor.org/rfc/rfc9116
- DOCISO/IEC 30111 — vulnerability handling processes, 1st ed. 2013-11 (via Wayback; iso.org 403s bots)web.archive.org/web/20171220083905/iso.org/standard/53231.html
- DOCISO/IEC 29147 — 2nd ed. 2018-10 (supersedes 2014) (via Wayback)web.archive.org/web/20181215190313/iso.org/standard/72311.html
- DOCU.S. DOJ — “Framework for a Vulnerability Disclosure Program for Online Systems” v1.0 (July 2017)justice.gov/criminal-ccips/page/file/983996/download
- DOCCERT/CC — The CERT Guide to Coordinated Vulnerability Disclosure (CMU/SEI-2017-SR-022, Aug 2017)sei.cmu.edu/library/the-cert-guide-to-coordinated-vulnerability-disclosure-2
- DOCVan Buren v. United States, 593 U.S. ___ (2021-06-03) — CFAA narrowed (slip opinion)supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
- DOCDOJ — revised CFAA charging policy: “good-faith security research should not be charged” (2022-05-19)justice.gov/archives/opa/pr/…charging-cases-under-computer-fraud-and-abuse-act
- DOCEU NIS2 — Directive (EU) 2022/2555, Art. 12 Coordinated vulnerability disclosure (OJ 2022-12-27)eur-lex.europa.eu/eli/dir/2022/2555/oj
- DOCEU Cyber Resilience Act — Regulation (EU) 2024/2847 (CVD policy required of manufacturers)eur-lex.europa.eu/eli/reg/2024/2847/oj
Predecessor policy texts (fetched verbatim for the lineage)
- TXTRFPolicy v2.0 (Rain Forest Puppy) — full “5 working days” policy textdl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt
- TXTIETF — “Responsible Vulnerability Disclosure Process” draft, full text (Christey/Wysopal, 2002)ietf.org/archive/id/draft-christey-wysopal-vuln-disclosure-00.txt
- SRCDropbox — “Protecting security researchers” (March 21, 2018) — the earliest “authorized under the CFAA” safe-harbor language in this corpusdropbox.tech/security/protecting-security-researchers
- TXTElazari
#legalbugbounty—safe_harbor.mdtemplate (the standardized clause)github.com/EdOverflow/legal-bug-bounty/…/safe_harbor.md - TXTdisclose.io dioterms — modern
core-terms-vdp.md/core-terms-bbp.md(the parameterized synthesis)github.com/disclose/dioterms - DOCCERT/CC — Guide to CVD (the “responsible → coordinated” terminology rationale)certcc.github.io/CERT-Guide-to-CVD/tutorials/terms/cvd
Primary social & press
- SRCAlex Rice (HackerOne co-founder/CTO) — the Bugcrowd-launched-first tweet: “Both founded 2012, @Bugcrowd launched first…” (live in browser; X blocks bot fetches)x.com/senorarroz/status/779402727885410304 · archived copy
- SRCBugcrowd — 2014 framework launch press: PRNewswire (2014-07-24)prnewswire.com/…/bugcrowd-releases-open-source-responsible-disclosure-framework
- SRCThreatpost — “Bugcrowd Releases Open Source… Disclosure Framework” (2014-07-24, Dennis Fisher)threatpost.com/bugcrowd-releases-open-source-vulnerability-disclosure-framework/107399
- SRCBugcrowd — “Launches Disclose.io” 2018 launch press release (live) + GlobeNewswire wire (dateline Aug. 02, 2018)bugcrowd.com/press-release/…launches-disclose-io… · GlobeNewswire
- SRCGoogle Project Zero — announcement (2014-07-15) + 90-day policy formalized (2015-02-13)projectzero.google/2014/07/announcing-project-zero · 90-day update
- SRCHackerOne — “Gold Standard Safe Harbor” press release (2022-11-16)hackerone.com/press-release/hackerone-announces-gold-standard-safe-harbor…
- SRCU.S. DoD VDP / Hack the Pentagon (2016-11-21)hackerone.com/deptofdefense