Policymaker VDP policy generator (plus security.txt and DNS Security TXT) Beta is Live!

Hi all,

@jmanoto has been working hard on putting together “policymaker” - A “one-stop-shop” for the creation of a VDP policy, security.txt file, and DNS security TXT records.

It’s live at https://policymaker.disclose.io and currently unpromoted (pending initial feedback), and we’d love y’all to take a look at it and give feedback on the user flows, content, and general experience.

The goal of this tool is two-fold:

  1. Make the creation of artifacts for a VDP as simple as possible to drive adoption, and
  2. Encourage translation of the core terms into different languages to push standardization.

If you’ve got feedback (even if it’s just a “two-thumbs up this is great”) please drop it here! Thanks much!


Hi Team,

I really like the idea of this project. A couple of thoughts running through this:

  • The user is unable to select and copy the generated documents, they have to be downloaded, which is a bit of a pain.
  • You add disclose.io in the security.txt acknowledgements section, but as the RFC states:

This field indicates a link to a page where security researchers are recognized for their reports.

  • The language dropdown currently doesn’t do anything, so I’d suggest removing it until you have other languages available.
  • The introductions suggests that after completing the defined steps that the user’s domain will automatically be added to the disclose.io database, but I can’t see that this is happening? I assume the user still has to submit a PR to the database?

Your domain will be added to a list of domains scanned for updates into the Disclose.io Contact Database, and your new VDP will appear in our records once the security.txt is implemented.

Thanks to this tool I’ve updated the DNS Security TXT records and security policy for bughuntr.io!



Hi @ajxchapman.

Thanks for the feedback and glad to hear it was of some use to you!

  1. Can’t believe overlooked the simplest of delivery methods - copy/paste! We’ll enable on the next update. On that note, would you feel it useful to also have the ability to copy the raw html or markdown directly?
  2. Noted and good spot on the security.txt RFC - removing the Acknowledgement entry.
  3. Multiple languages is in our pipeline - pending translations obviously, but good call to hide the dropdown for now.
  4. At the moment the tool is not integrated to update the scanning list so, yes a manual PR is still required - we jumped a bit ahead of ourselves!



A little update on this: We’ve made several tweaks and changes to the site, and our first translation (Arabic) has been contributed by the community to the templates and will be integrated soon. We’d love to hear what other languages this community thinks should be next (…or you can just go ahead, translate it yourself, and submit a Pull Request to the repo)!

1 Like


Great work gang!

Is the mailto link in the correct format? I’ve always seen them as mailto:[email protected] but they’re formatted as mailto://[email protected] in the policymaker.




Hey @goggan,

Thanks for pointing that out. The tool has been updated to format the email links according to RFC6068 :+1:


  • Jeremy
1 Like