The community database of every VDP & bug-bounty program and its safe-harbor status — now served live at directory.disclose.io.
Part of the disclose.io Project — the open, vendor-neutral infrastructure for vulnerability disclosure. Browse the ecosystem →
Note
diodb is the open dataset. directory.disclose.io is the live front-end.
The directory is the searchable, always-current place to look programs up. This repo is the open, version-controlled, CC0 dataset behind that story — and it remains open to contributions.
If you just want to find a program, use the directory. If you want to add or correct one in the open dataset, pull requests here are welcome — see How to Contribute.
| Purpose | Link |
|---|---|
| Search through the database front-end | https://disclose.io/programs |
| Download the raw database in .json format | https://github.com/disclose/diodb/raw/master/program-list.json |
| Generate your own Vulnerability Disclosure Program | https://policymaker.disclose.io/ |
| Join disclose.io Community Forum | https://community.disclose.io |
| Learn more about Vulnerability Disclosure Programs (VDP) | https://github.com/disclose/dioterms |
diodb exists to drive the adoption of Safe Harbor for hackers and promote the cybersecurity posture of early adopters, simplify the process of finding the right contacts and channel at an organization, and help both finders and vendors align around the expectations of engagement. It also provides a simple, vendor-agnostic point of engagement for program operators, potential program operators, and the security community to maintain updates to their program.
Pull requests are welcome. To add or update a program in the open dataset:
- Edit
program-list.json. - Format and sort the file — CI enforces this, and it is the single most common reason a PR goes red:
jq --indent 3 -s '.[] | unique_by(.program_name)' < program-list.json > _ && mv _ program-list.json
- Open a PR. CI will validate the JSON, check for duplicates, and verify the links.
Full guidelines are in CONTRIBUTING.md.
Prefer not to use git? You can also:
- Look a program up → directory.disclose.io
- Ask a question or discuss → community.disclose.io
disclose by disclose.io is licensed under a Creative Commons Attribution 4.0 International License.

