This site is currently in Beta. Please leave comments/feedback/suggestions here or in #2-policymaker if you are a member of the Slack.

Who is this for?

Policymaker is a "one-stop-shop" policy generator for anyone launching a vulnerability disclosure program (VDP) for the first time, looking to update their VDP policy, or wanting to add features to an existing program.

Once completed, Policymaker will provide you with:

  • A full vulnerability disclosure program policy (for new or replacement VDPs),
  • A safe harbor clause (for insertion into an existing VDP)
  • security.txt files, and
  • DNS Security TXT records.

How does it work?

It's as easy as 1-2-3...

  1. Policymaker will ask you a few questions about your organization's name, security contact channels, preferred policy deployment page, and, if you have one, your vulnerability disclosure timeline.
  2. The tool will use the standardized policy repository (created and maintained by industry experts, lawyers, and legal teams of large organizations that run VDPs) to create a policy just for you.
  3. Download the policy in HTML or Markdown, as well as RFC-compliant security.txt and DNS Security TXT records.

What's next?

This is the crucial part... We've worked hard to make creating these artifacts simple and standardized - the power comes when you put them to work!

  1. Publish your VDP on a web page on your main website, or through a VDP platform provider such as Bugcrowd, HackerOne, or Intigriti, and deploy the security.txt file in a directory on the servers and systems covered by the VDP, as well as the DNS Security TXT records into the DNS zone for domains covered by the VDP.
  2. Each artifact comes with instructions, which you can pass on to the appropriate teams within your organization to implement and legal teams for review.
  3. Your domain will be added to a list of domains scanned for updates into the Contact Database, and your new VDP will appear in our records once the security.txt is implemented.
  4. After reviewing your published policy, a maintainer will mark your VDP as Level 4 - Full Safe Harbor or Level 5 - Full Safe Harbor with CVD in the Status Database, and you will be able to display the appropriate Maturity Seal on your website. 

Note: While we've engaged the legal opinion of many, the policy output of Policymaker does not constitute legal advice. Please consult your legal counsel for the specific suitability of the terms in your organization.

What will I require?

  • The legal name of your organization.
  • The contact channels through which you intend to receive security reports. It is acceptable to use web forms and email addresses, or a combination of the two.
  • The location where you intend to host your VDP policy. You can change this later if necessary.
  • (Optional): A timetable for coordinated vulnerability disclosure (CVD). If you don't know what this is, you'll be given a sane default and the option to opt-out.

Ready to start? Hit "Begin" and let's get going!