Revamp README.md

.github/ISSUE_TEMPLATE/add.yml

@@ -0,0 +1,39 @@
+name: Add new program
+description: Request adding a new bug bounty or vulnerability disclosure program to diodb
+title: "add new program: {name}"
+assignees:
+  - nikitastupin
+body:
+  - type: input
+    id: policy_url
+    attributes:
+      label: URL
+      description: Where is the program policy located?
+      placeholder: ex. https://kubernetes.io/security
+    validations:
+      required: true
+  - type: input
+    id: contact
+    attributes:
+      label: Contact
+      description: What URL or email should be used to report a vulnerability?
+      placeholder: ex. https://hackerone.com/kubernetes
+    validations:
+      required: false
+  - type: dropdown
+    id: offers_bounty
+    attributes:
+      label: Bounty
+      description: Does the program offers monetary rewards?
+      options:
+        - 'No'
+        - 'Yes'
+    validations:
+      required: false
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional Information
+      description: Here you may optionally provide additional information
+    validations:
+      required: false

CONTRIBUTING.md

@@ -0,0 +1,50 @@
+# Contribution Guidelines
+
+Please format your contributions with either of the following commands:
+
+```bash
+jq --indent 3 -s '.[] | unique_by(.program_name)' < program-list.json > _ && mv _ program-list.json
+```
+
+or
+
+```bash
+./tools/format.sh
+```
+
+Alternatively, allow editing your fork by maintainers.
+
+### Getting started
+
+If you have new VDP or bug bounty program information to add, update, or delete in the [#diodb open-source vulnerability disclosure and bug bounty program list](https://github.com/disclose/diodb/blob/master/program-list.json), we'd love you to contribute by issuing a Pull Request.
+
+If you're new to Github, [this article](https://help.github.com/articles/creating-a-pull-request-from-a-fork/) is a good primer on how PRs work. If you'd like to help us create tooling to allow updates without the use of Git and PRs, get in touch at hello@disclose.io.
+
+### Adding a new program?
+
+Programs on the bug-bounty-list need to satisfy the definition of a public bug bounty or vulnerability disclosure program, which means they need two key components:
+
+1. `policy_url` - A publicly accessible vulnerability disclosure policy, sometimes called a program brief or bounty brief, and
+2. `contact_url` - A publicly accessible intake channel for vulnerability submissions. This intake channel must be explicitly mentioned in the vulnerability disclosure policy.
+
+If you work with an organization like this, encourage them to launch a formal and public program and point them to disclose.io for helpful tools to assist them along the way!
+
+### Other tips
+
+- Launch date can be tricky to find on some programs e.g., it's buried in a press release or blog post and not on the program page. If you think you've found a launch date, please include a reference to where you found it in the PR so the maintainers can check.
+- Some companies will offer these things on an ad-hoc or case-by-case basis, but this doesn't mean they're committing to do it for everyone. Be careful with the `bounty_offered`, `swag_offered`, and `hall_of_fame` options. As always, read the program page.
+
+### Some examples of suggestions that won't be accepted
+
+Remember, the goal of The disclose.io Project is to drive the adoption of VDP with best practices, so we'll only accept entries that satisfy the Policy and Intake requirement above.  
+
+Sometimes, organizations have informal vulnerability reporting setups. While these organizations provide lucky or persistent folks with the option to report issues, this arrangement does NOT constitute a formally established and fully endorsed public VDP.
+
+Some examples of this include:
+
+1. Private programs
+2. Invitation-only programs
+3. Updates where the intake channel is unlisted or informal in the policy
+4. Programs that you heard about from a friend but aren't listed publicly
+5. Programs without a public policy or a nominated channel for communication
+6. security.txt entries without a valid "policy_url"

README.md

@@ -6,15 +6,9 @@ A true, community-powered, vendor agnostic directory of all known VDP and BBPs,
 - Availability rewards, hall of fame, swag
 - Disclosure policy
 
-## Quickly search the database online: [https://disclose.io/programs/](https://disclose.io/programs/)
-
-## View the database raw: [https://github.com/disclose/diodb](https://github.com/disclose/diodb)
-
-## Visit this project on GitHub: [https://github.com/disclose/diodb](https://github.com/disclose/diodb)
-
 [![Disclose.io Vulnerability, VDP, and Bug Bounty Program Database](diodb-hero-image.png?raw=true "Disclose.io Vulnerability, VDP, and Bug Bounty Program Database")](https://github.com/disclose/diodb)
 
-### Quick Links
+### Quick links
 
 |Purpose|Link|
 |-|-|
@@ -28,60 +22,16 @@ A true, community-powered, vendor agnostic directory of all known VDP and BBPs,
 
 diodb exists to drive the adoption of Safe Harbor for hackers and promote the cybersecurity posture of early adopters, simplify the process of finding the right contacts and channel at an organization, and help both finders and vendors align around the expectations of engagement. It also provides a simple, vendor-agnostic point of engagement for program operators, potential program operators, and the security community to maintain updates to their program. 
 
-## How to contribute
+## How to Contribute
 
-Please format your contributions using `jq`, or allow editing forks by maintainers :)
+Contributions are very welcome! You may add a new program or update an existing one by either opening an issue or a pull request.
 
-```bash
-jq --indent 3 -s '.[] | unique_by(.program_name)' < program-list.json > _ && mv _ program-list.json
-```
+[Open an Issue](https://github.com/disclose/diodb/issues/new/choose)
 
 or
 
-```bash
-./tools/format.sh
-```
-
-### Getting started
-
-If you have new VDP or bug bounty program information to add, update, or delete in the [#diodb open-source vulnerability disclosure and bug bounty program list](https://github.com/disclose/diodb/blob/master/program-list.json), we'd love you to contribute by issuing a Pull Request.
-
-If you're new to Github, [this article](https://help.github.com/articles/creating-a-pull-request-from-a-fork/) is a good primer on how PRs work. If you'd like to help us create tooling to allow updates without the use of Git and PRs, get in touch at hello@disclose.io.
-
-### Adding a new program?
-
-Programs on the bug-bounty-list need to satisfy the definition of a public bug bounty or vulnerability disclosure program, which means they need two key components:
-
-1. "policy_url" - A publicly accessible vulnerability disclosure policy, sometimes called a program brief or bounty brief, and
-2. "contact_url" - A publicly accessible intake channel for vulnerability submissions. This intake channel must be explicitly mentioned in the vulnerability disclosure policy.
-
-If you work with an organization like this, encourage them to launch a formal and public program and point them to disclose.io for helpful tools to assist them along the way!
-
-### Other tips
-
-* Launch date can be tricky to find on some programs e.g., it's buried in a press release or blog post and not on the program page. If you think you've found a launch date, please include a reference to where you found it in the PR so the maintainers can check.
-* Some companies will offer these things on an ad-hoc or case-by-case basis, but this doesn't mean they're committing to do it for everyone. Be careful with the "bounty_offered", "swag_offered", and "hall_of_fame" options. As always, read the program page.
-
-### Some examples of suggestions that won't be accepted:
-
-Remember, the goal of The disclose.io Project is to drive the adoption of VDP with best practices, so we'll only accept entries that satisfy the Policy and Intake requirement above.  
-
-Sometimes, organizations have informal vulnerability reporting setups. While these organizations provide lucky or persistent folks with the option to report issues, this arrangement does NOT constitute a formally established and fully endorsed public VDP.
-
-Some examples of this include:
-
-1. Private programs
-2. Invitation-only programs
-3. Updates where the intake channel is unlisted or informal in the policy
-4. Programs that you heard about from a friend but aren't listed publicly
-5. Programs without a public policy or a nominated channel for communication
-6. security.txt entries without a valid "policy_url"
+Follow [the contribution guidelines](CONTRIBUTING.md) to prepare and open a Pull Request
 
 ## License
 
 <a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" property="dct:title">disclose</span> by <a xmlns:cc="http://creativecommons.org/ns#" href="https://disclose.io" property="cc:attributionName" rel="cc:attributionURL">disclose.io</a> is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.
-
-## Other tips  
-
-* Launch date can be tricky to find on some programs e.g. it's buried in a press release or blog post and not on the program page. If you think you've found a launch date, please include a reference to where you found it in the PR so the maintainers can check.
-* Some companies will offer these things on an ad-hoc or case-by-case basis, but this doesn't mean they're committing to do it for everyone. Be careful with the bug_bounty, swag, and hall_of_fame options. As always, read the program page.