Vulnerability Disclosure Policy from Dioterms

Exploring leveraging dioterms and policymaker for creating vulnerability disclore policies for a website.


  • DNS is related for the deployment of the website (_security)
  • Entry within the /.well-known/ root of the domain (
  • Security entry for the domain (
  • If the application is located within (e.g. index.html), then the top level domain elements can be “procedural”
  • Construct the webpage into a bundle (website.wbn), publish it to the “deployer”, which can then handle the top level elements
  • References can still exist within the app (/security, /.well-known/...), known to the website manifest
  • Website manifest allow it to enforce expectations about required top-level components
  • Distributable/Sharable webpages can combine/merge these components (e.g. website.wbn, website.manifest, website.policy) with organization (or overwrite)