Running With Scissors - The Disclose.io Blog

Sign in Subscribe

Policy Pulse - Issue #5 | Week of March 1, 2026

Policy Pulse - Issue #5 | Week of March 1, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research. This week: RUSI explores cyber deputisation and letters of marque, UK launches Cyber Essentials push, curl kills its bug bounty over AI slop, and the MITRE CVE contract enters its final two weeks.

Policy Pulse - Issue #4 | Week of February 22, 2026

Policy Pulse - Issue #4 | Week of February 22, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research. This week: Australia mandates VDPs for all smart devices, MITRE CVE contract enters final countdown, and a researcher who found children's data exposed gets threatened with prosecution.

Policy Pulse - Issue #3 | Week of February 15, 2026

Policy Pulse - Issue #3 | Week of February 15, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research. This week: CISA BOD 26-02 targets unsupported edge devices, MITRE CVE contract hits 30-day countdown, and UK CMA statutory defence takes shape.

Modes of Public Vulnerability Disclosure: A 2026 Update

Modes of Public Vulnerability Disclosure: A 2026 Update

Understanding the taxonomy of vulnerability disclosure—from private to full to coordinated—and why the industry has converged on 90 days as the rational baseline. Updated for 2026 with the latest from disclose.io Policymaker.

Policy Pulse - Issue #2 | Week of February 8, 2026

Policy Pulse - Issue #2 | Week of February 8, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Policy Pulse - Issue #1 | Week of February 1, 2026

Policy Pulse - Issue #1 | Week of February 1, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Research on legal risk experiences — seeking interviewees

Research on legal risk experiences — seeking interviewees

Academic research exploring the legal risks security researchers face when discovering and reporting vulnerabilities. If you've experienced legal threats or prosecution related to security research, your story could help shape better protections.

The disclose.io Community Forum is Back—Here’s How to Dive In

The disclose.io Community Forum is Back—Here’s How to Dive In

The disclose.io community forum has been relaunched with new features for security researchers and organizations. Learn how to join the conversation, connect with fellow researchers, and contribute to safer vulnerability disclosure practices.

Bill Proposal: Unpacking the Cyber Conspiracy Modernization Act

Bill Proposal: Unpacking the Cyber Conspiracy Modernization Act

The Cybercrime Conspiracy Modernization Act (CCMA), introduced by Senators Mike Rounds (R-SD)

A brief history of vulnerability disclosure and bug bounty

A brief history of vulnerability disclosure and bug bounty

Explore the evolution of vulnerability disclosure from the early days of full disclosure debates through the emergence of bug bounty programs. A comprehensive three-part series by Dennis Fisher covering the history that shaped modern security research.

Introducing the disclose.io Policymaker!

Introducing the disclose.io Policymaker!

Introducing the disclose.io Policymaker tool — a free, open-source generator for creating vulnerability disclosure policies. Build compliant VDP and bug bounty policies in minutes with our guided policy builder.

Make DMCA About Copyright Again

Make DMCA About Copyright Again

The DMCA's anti-circumvention provisions have been misused against security researchers for decades. Here's why we need to return the Digital Millennium Copyright Act to its original purpose and protect good-faith security research.