🏆 Earliest provenance root of the dioterms lineage
first commit of bugcrowd/disclosure-policy — hash 10ea3e1, “first commit,” authored by Chris Raethke (Bugcrowd’s founding CTO) at 23:02:41 −0700.
That repo’s own GitHub description draws the inheritance explicitly:
“Open Source Vulnerability Disclosure Framework. Maintained by Bugcrowd and Cipherlaw. Merged with github.com/disclose/dioterms.”
And the defining feature of dioterms — bilateral safe harbor — is already present in that very first 2014 file (responsible_disclosure_policy.md):
“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research…”
So the dioterms language is ~4 years older than the disclose.io brand it later fed into. Note this proves a Bugcrowd disclosure-policy repo existed in 2014 — it does not prove disclose.io was co-founded in 2014 (a separate, bio-sourced claim). Keep those two facts apart.
Why this date is HIGH, not just one self-reported timestamp
- Author date == committer date (
2014-07-23 23:02:41 −0700) — no rebase/backdate divergence. - Root commit —
rev-list --parentsshows no parent → a genuine initial commit, not a migrated history. - Clean initial commit — 3 files / 105 insertions (one policy + one guide + README), not a bulk import that would make the date suspect.
- Independent corroboration — the Wayback Machine captured the live repo on 2014-10-16 (HTTP 200) and 2015-03-17, ~3 months after the commit. Git and Wayback agree.
This is a falsifiable claim: it stands until an earlier Bugcrowd template, gist, or snapshot surfaces. The 2026-05-31 refutation hunt found nothing earlier in Bugcrowd’s repos.
The shape of itA single image of the whole lineage, predecessors → dioterms.
🧬 The lineage chain
Solid arrows (──▶) = documented inheritance (a repo states it merged X; X is a direct ancestor). Dashed (╌╌▶) = conceptual antecedent only — same problem space, no sourced derivation.
CONCEPTUAL ANTECEDENTS DOCUMENTED-INHERITANCE CHAIN CONFLUENCE CANONICAL HOME
(no sourced derivation)
┌──────────────────┐
│ 2000 RFPolicy v1│╌╌┐
│ (Rain Forest │ ╎
│ Puppy) │ ╎ ┌─────────────────────────────────┐
└──────────────────┘ ╎ ╌▶│ 2014-07-23 Bugcrowd + CipherLaw │──┐ (repo: "Merged with disclose/dioterms")
┌──────────────────┐ ╎ │ "Open Source Vuln Disclosure │ │
│ 2002 IETF resp. │╌╌┤ │ Framework" (disclosure-policy)│ │ ┌──────────────────┐ ┌─────────────────┐
│ disclosure draft│ ╎ │ → bilateral safe-harbor clause │ ├──▶│ 2018-08-02 │──▶│ 2020-06-30 │
├──────────────────┤ ╎ └─────────────────────────────────┘ │ │ disclose.io │ │ disclose/ │
│ 2014-02 ISO 29147│╌╌┘ │ │ LAUNCHES │ │ dioterms repo │
└──────────────────┘ ┌─────────────────────────────────┐ │ │ (Bugcrowd + │ │ → generic-core- │
│ 2017-18 Amit Elazari │ │ │ Elazari) merges │ │ terms.md │
│ #LegalBugBounty / "Hacking the │──┘ │ 3 predecessors │ │ (2020-07-15) │
│ Law" safe-harbor scholarship │ └──────────────────┘ └─────────────────┘
│ + Dropbox researcher protection │
└─────────────────────────────────┘The solid chain is sourced: disclose.io’s own 2018 launch page names the three tributaries it merged (Bugcrowd+CipherLaw’s 2014 framework, Elazari’s #legalbugbounty, Dropbox’s researcher-protection language), and bugcrowd/disclosure-policy’s description states it merged into disclose/dioterms. The 2000–2014 norms (RFPolicy, IETF draft, ISO 29147) are dashed: they shaped the problem space of standardized disclosure, but no document shows Bugcrowd’s framework deriving its text from them — antecedents, not parents.
🗓️ Timelinedate — milestone (project goal/intent active then) — confidence — source.
Platform pre-history — the crowdsourced-security market (the demand soil)
- 2012
Bugcrowd & HackerOne both founded; Bugcrowd launched first. Per HackerOne co-founder/CTO Alex Rice, on record: “Both founded 2012, @Bugcrowd launched first! @Hacker0x01 kickoff 2/2012, 1st commit 4/2012, 1st private 1/2013, 1st public 10/2013.” HIGHCrowdsourced security as a service put researchers and orgs into at-scale engagement — exactly what made standardized safe-harbor terms necessary by 2014.
Pre-history — disclosure norms (the supply soil)
- 2000-06
RFPolicy v1 (Rain Forest Puppy): first formalized vulnerability-disclosure policy template (fixed notify-then-publish timeline). MEDGoal: give researchers a repeatable, fair disclosure process.
- 2002
IETF “Responsible Disclosure Process” draft (Christey/Wysopal). MEDGoal: standardize “responsible disclosure” terminology.
- 2014-02
ISO/IEC 29147 first edition (vulnerability disclosure). MEDGoal: a formal international standard.
2014 — the earliest provenance root (Bugcrowd precursor, not yet a “dioterm”)
- 2014-07-23
🏆
bugcrowd/disclosure-policyfirst commit (10ea3e1, Chris Raethke). Files:responsible_disclosure_policy.md,setting_up_a_responsible_disclosure_program.md. HIGHGoal: an open-source, copy-pasteable disclosure framework with built-in legal safe harbor for researchers. - 2014-10-16
Earliest Wayback capture of the Bugcrowd framework repo (HTTP 200). HIGH
2017–2018 — the legal-safe-harbor idea crystallizes
- 2017
Amit Elazari’s safe-harbor scholarship begins (DEF CON Skytalks / BSidesLV, unrecorded). MEDGoal: make legal safe harbor a standardized norm, not a per-program favor.
- 2018-01
Enigma 2018 talk “Hacking the Law: Are Bug Bounties a True Safe Harbor?” HIGH
- 2018-03-29
EdOverflow/legal-bug-bountytemplates repo created. HIGH - 2018-04-12
SSRN paper “Private Ordering Shaping Cybersecurity Policy: The Case of Bug Bounties” (SSRN ID
3161758— no DOI; cite the ID). HIGH
2018 — disclose.io is born
- 2018-05-16
disclose/diodbfirst commit (0158e3b) — oldest repo in the disclose org. HIGH - 2018-08-02
🚀 disclose.io launches (Bugcrowd + Amit Elazari), explicitly merging the three predecessors. HIGHGoal (2018, verbatim): “a community-maintained resource for vulnerability disclosure.”
- 2018-08-29
Earliest Wayback capture showing disclose.io as a terms project (“Read the core terms,” links to
disclose/disclose/core_terms). HIGH - 2018-12-07
diodb’s first real program list: 426 organizations (
698675f). HIGHGoal: track who has adopted safe-harbor terms.
2020 — the terms get a canonical home + the adoption engine
- 2020-06-30
disclose/diotermsrepo first commit (851a906). HIGH - 2020-07-15
First canonical terms text in the disclose org (
be213be,generic-core-terms.md) with an explicit “Safe Harbor” section. HIGH - 2020-08-12
disclose/diosts(Go security.txt scraper) created — the future adoption engine. HIGH - 2020-09-02
CISA BOD 20-01 finalized: every U.S. federal civilian agency must publish a VDP. HIGH
- 2020-11-15
Wayback captures the actual dioterms text + the 2020 mission, verbatim: “To drive vulnerability disclosure adoption through safety, simplicity, and standardization.” HIGH
- 2020-11-16
📈 Adoption inflection: the
diostsbot auto-imports security.txt-discovered programs, jumping diodb 981 → 3,524 entries in one commit (aee74f1). The spike is automation riding CISA BOD 20-01, not a conference. HIGH
2021–2022 — the vision broadens
- 2021
Supporting-standards repos spin out:
dnssecuritytxt(2021-03),policymaker(2021-07). HIGHGoal expands toward an ecosystem. - 2022-04-27
RFC 9116 (security.txt) published; co-author EdOverflow was an early diodb contributor — the two efforts are intertwined. HIGH
- 2022-07-14
Wayback captures the 2022 mission, verbatim: “a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a straightforward maturity model.” HIGH
Mainstream adoption (one pre-org outlier, shown out of strict order)
- 2016-11-21
U.S. DoD VDP / Hack the Pentagon. HIGHThe largest adopter that predates disclose.io itself — placed here because it belongs to the adoption story, not the founding chronology. NOT evidence the org existed in 2016.
- 2023→2025
Target 2023-11-03 (
f71528c) · Dell 2024-03-10 (ddf2f8e) · a16z 2024-09-28 (6f5b57d) · SIX Group 2025-07-20 (0e8e445) — each dated by the diodb commit that added it. HIGH
📈 Goal evolutionverbatim, dated — the safe-harbor clause is the invariant; the ambition around it kept widening.
| When | Stated goal / mission (verbatim) | Source |
|---|---|---|
| 2014 | (implicit in the framework) “an open-source disclosure policy with legal safe harbor” | bugcrowd/disclosure-policy |
| 2018 (pre-pivot) | “Disclose.io is a community-maintained resource for vulnerability disclosure” — the Jan-2018 guidance site, before the terms-project pivot of Aug 2018 | Wayback 2018-01/08 |
| 2020 | “To drive vulnerability disclosure adoption through safety, simplicity, and standardization” | Wayback 2020-11-15 |
| 2022 | “a cross-industry, vendor-agnostic standardization project for safe harbor best practices… a maturity model” | Wayback 2022-07-14 |
The arc: a legal artifact (2014 safe-harbor template) → a community resource/directory (2018) → a standardization project with a maturity model (2020–22).
🧩 Where the language came fromSeven disclosure policies, 2000–2022, compared by their actual fetched text — how the clauses, and the needs behind them, evolved.
The safe-harbor clause, assembled across three organizations
The clause everyone now treats as the heart of the dioterms is the genre’s most recent organ — and it has three distinct authors. Traced verbatim:
2014 · Bugcrowd — the goodwill promise, no statutes HIGH
“If you follow these guidelines… we commit to: Not pursue or support any legal action related to your research.”
2018 · Dropbox — where the legal magic word “authorized” enters (Mar 21, 2018), eight days before Elazari’s template repo, which credits it HIGH
“…we consider actions consistent with the policy as constituting ‘authorized’ conduct under the Computer Fraud and Abuse Act (CFAA)” · “a pledge that we won’t bring a Digital Millennium Copyright Act (DMCA) action…” · “…if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).”
2018 · Elazari #legalbugbounty — standardizes it into a reusable, statute-naming template HIGH
“…‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c).”
Its README credits the basis: “…the DOJ guidelines… and some leading policies like Dropbox.”
2020 · dioterms — the parameterized synthesis HIGH
“Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action… Authorized concerning any relevant anti-circumvention laws… Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)… Lawful, helpful… and conducted in good faith.”
⚠ Similarity ≠ provenance. This is concordance + chronology across the texts actually fetched — not a commit-level “who-typed-what” diff. The order is corroborated by disclose.io’s own “three tributaries” attribution (Bugcrowd framework + Elazari + Dropbox) and Elazari’s explicit Dropbox credit, but generic legalese and parallel drafting are not excluded.
Feature comparison — the oldest feature is the clock, not the contract
| Feature | RFPolicy ’00 | IETF ’02 | ISO ’14 | Bugcrowd ’14 | Dropbox ’18 | Elazari ’18 | dioterms ’20 |
|---|---|---|---|---|---|---|---|
| Disclosure window | ✅ 5d | ✅ 30d | ❔ | ✅ 90d | ⚪ | ➖ | ✅ param |
| Researcher conduct | ✅ | ✅ | ❌ | ✅ | ✅ | ➖ | ✅ |
| Vendor commitments | ⚪ | ✅ | ✅ | ✅ | ✅ | ➖ | ✅ |
| Legal safe harbor | ❌ disclaims | ❌ | ❌ | ⚪ goodwill | ✅✅ CFAA/DMCA | ✅✅ +Cal 502 | ✅ structured |
| Bilateral structure | ❌ | ⚪ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Machine-readable | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ security.txt |
| Self-label | Full Disclosure | Responsible | Vuln disclosure | Responsible Disc. | VDP | Safe Harbor | VDP / BBP |
✅ present · ⚪ partial · ➖ clause-insert (not a whole policy) · ❌ absent · ❔ not retrievable (paywalled). Safe harbor is the last major feature to appear — ~17 years after the disclosure window.
The terminology arc — accreting layers, not replacements
Full Disclosure (2000, completeness) → Responsible (2002, process) → Coordinated / CVD (2010–14, neutrality — CERT/CC: “responsible… is a matter of opinion… framed within the values of whoever is using the term”) → Safe Harbor (2017–18, legality). dioterms speaks all four dialects at once.
How the needs evolved — each layer answered a new fear
- 2000 — vendor stonewalling → a deadline (RFPolicy’s “5 days, then I publish”; it deliberately disclaims legal force).
- 2002 — multi-party chaos → roles + process (the Reporter / Vendor / Coordinator triad).
- 2010–14 — “responsible” weaponized → neutral terminology (CVD) + a vendor-side standard (ISO 29147).
- 2014 — every program reinvents the policy → a reusable, bilateral template (Bugcrowd).
- 2017–18 — researchers prosecuted under the CFAA / DMCA → a legally-operative safe harbor (Dropbox ships it; Elazari standardizes it).
- 2020–22 — adoption at scale, machine discovery, government mandate → parameterized, machine-readable terms (dioterms, security.txt, CISA BOD 20-01).
A disclosure policy started as a threat (“fix it or I publish”), became a protocol, then a brand-neutral standard, then a reusable contract, then a legal shield, and finally a machine-readable, government-mandated interface.
🔎 Confidence legend & honest caveats
HIGH = git commit hash, GitHub API field, RFC/directive, or verified Wayback snapshot. MED = single/secondary source or non-day-precise date.
Caveats (carried forward, not hidden):
- The often-cited “DEF CON 26 Legal Bug Bounty talk” could not be confirmed as a titled DEF CON 26 main-stage talk — likely a conflation with 2017 Skytalks (unrecorded).
- The SSRN paper has no DOI — cite SSRN ID
3161758. Its page bot-blockscurl(403) but renders live in a browser. - ISO 29147’s first-edition day isn’t shown on iso.org; the 2014 edition year is confirmed.
- ~2-year gap between “terms provably existed on disclose.io” (2018-08) and “terms text is archived word-for-word” (2020-11) — Wayback never grabbed the original
core_termsfile, only the repo’s tree listing. - Earliest-found ≠ earliest-that-exists. Git archaeology establishes the earliest commit located in this search — not proof that no earlier artifact could ever surface. The 2014-07-23 headline is a falsifiable conjecture, retestable as GitHub/Wayback indexes grow.
📚 References & archivesSources drawn from the project’s verified ledger. Re-checked 2026-06-21: GitHub commits/repos, standards, RFCs & directives all live (HTTP 200); SSRN 403s to bots (renders in-browser); the Bugcrowd launch-blog URL has 404’d since their rebrand (launch corroborated by the 2018-08-29 disclose.io snapshot); the Alex Rice (Bugcrowd-launched-first) tweet links directly to X, with a Wayback copy alongside (X blocks bot fetches; the tweet renders live in a browser). The six Wayback snapshots are immutable.
GitHub — commits & repos (ground truth)
- GIT🏆 bugcrowd/disclosure-policy — first commit
10ea3e1(2014-07-23, Chris Raethke)github.com/bugcrowd/disclosure-policy/commit/10ea3e1… - GITbugcrowd/disclosure-policy — repo (“Merged with disclose/dioterms”)github.com/bugcrowd/disclosure-policy
- GITTerminology rename responsible→vulnerability disclosure — commit
cc83616(2018-04-04)github.com/bugcrowd/disclosure-policy/commit/cc83616 - GITdisclose/diodb — oldest repo in the disclose org (first commit
0158e3b, 2018-05-16)github.com/disclose/diodb - GITdisclose/dioterms — terms’ canonical repo (first commit
851a906, 2020-06-30)github.com/disclose/dioterms - GITdisclose/diosts — Go security.txt scraper that drove the 2020 adoption spikegithub.com/disclose/diosts
- GITEdOverflow/legal-bug-bounty — safe-harbor templates repo (2018-03-29)github.com/EdOverflow/legal-bug-bounty
Web archives — Wayback Machine snapshots
- WBbugcrowd/disclosure-policy — repo captures (2014-10-16, 2015-03-17) corroborating the 2014 commitweb.archive.org/web/2014*/github.com/bugcrowd/disclosure-policy
- WBdisclose.io — earliest snapshot (2016-10-02, 301 redirect; brand registered by 2016)web.archive.org/web/20161002234519/disclose.io
- WBdisclose.io — first HTTP 200 snapshot, first live content (2018-01-18)web.archive.org/web/20180118045058/disclose.io
- WBdisclose.io — first captured as a “terms project” (2018-08-29)web.archive.org/web/20180829162504/disclose.io
- WBdioterms text + 2020 mission, verbatim (2020-11-15)web.archive.org/web/20201115224220/…/dioterms/generic-core-terms.md
- WBdisclose.io — 2022 mission, verbatim (2022-07-14)web.archive.org/web/20220714165017/disclose.io
Papers, standards, RFCs & directives
- DOCElazari — Enigma 2018: “Hacking the Law: Are Bug Bounties a True Safe Harbor?”usenix.org/conference/enigma2018/presentation/elazari
- DOCElazari — SSRN “Private Ordering Shaping Cybersecurity Policy” (ID 3161758, no DOI) — 403 to bots; renders in browserpapers.ssrn.com/sol3/papers.cfm?abstract_id=3161758
- DOCRFPolicy v1 (Rain Forest Puppy) — earliest formalized disclosure-policy templateen.wikipedia.org/wiki/RFPolicy
- DOCIETF “Responsible Disclosure Process” draft (Christey/Wysopal)datatracker.ietf.org/doc/html/draft-christey-wysopal-vuln-disclosure-00
- DOCISO/IEC 29147 — vulnerability disclosure standard (first ed. 2014)iso.org/standard/45170.html
- DOCCISA BOD 20-01 — U.S. federal VDP mandate (2020-09-02)cisa.gov/…/bod-20-01-develop-and-publish-vulnerability-disclosure-policy
- DOCRFC 9116 — security.txt (2022-04-27)rfc-editor.org/rfc/rfc9116
Predecessor policy texts (fetched verbatim for the lineage)
- TXTRFPolicy v2.0 (Rain Forest Puppy) — full “5 working days” policy textdl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt
- TXTIETF — “Responsible Vulnerability Disclosure Process” draft, full text (Christey/Wysopal, 2002)ietf.org/archive/id/draft-christey-wysopal-vuln-disclosure-00.txt
- SRCDropbox — “Protecting security researchers” (March 21, 2018) — the earliest “authorized under the CFAA” safe-harbor language in this corpusdropbox.tech/security/protecting-security-researchers
- TXTElazari
#legalbugbounty—safe_harbor.mdtemplate (the standardized clause)github.com/EdOverflow/legal-bug-bounty/…/safe_harbor.md - TXTdisclose.io dioterms — modern
core-terms-vdp.md/core-terms-bbp.md(the parameterized synthesis)github.com/disclose/dioterms - DOCCERT/CC — Guide to CVD (the “responsible → coordinated” terminology rationale)certcc.github.io/CERT-Guide-to-CVD/tutorials/terms/cvd
Primary social & press
- SRCAlex Rice (HackerOne co-founder/CTO) — the Bugcrowd-launched-first tweet: “Both founded 2012, @Bugcrowd launched first…” (live in browser; X blocks bot fetches)x.com/senorarroz/status/779402727885410304 · archived copy
- SRCBugcrowd — “Introducing disclose.io” launch blog (2018-08-02) — ⚠ original URL now 404 (post-rebrand); not in Wayback. Launch corroborated by the 2018-08-29 disclose.io snapshot above + the diodb repo.
www.bugcrowd.com/blog/introducing-disclose-io/ - SRCU.S. DoD VDP / Hack the Pentagon (2016-11-21)hackerone.com/deptofdefense