go
.disclose.io
disclose.io
Everything we make, in one place.
Open source, vendor-neutral, free.
Connect
Start Here
disclose.io
The project home — the framework, the docs, and the mission.
disclose.io
directory.disclose.io
The open system of record for every known VDP and bug bounty program, graded against the maturity model.
directory.disclose.io
lookup.disclose.io
Turn any asset — domain, IP, repo, package, container, app — into the right security contact. Web UI, JSON API, and a hosted MCP server.
lookup.disclose.io
Framework & Terms
The canonical, lawyer-reviewed, CC0 safe-harbor and vulnerability-disclosure language.
disclose.io/framework
Docs
Learn how vulnerability disclosure, safe harbor, and the disclose.io resources work.
disclose.io/docs
Tools
policymaker.disclose.io
Generate a VDP policy, a safe-harbor clause, a security.txt, and a DNS Security TXT record.
policymaker.disclose.io
vault.disclose.io
alpha
A dead-man's switch for disclosure. Commit a finding under a timelock that cannot be bypassed.
vault.disclose.io
dnssecuritytxt.org
A standard for publishing your security contact at the DNS layer.
dnssecuritytxt.org
Data
Programs
Search the largest open directory of disclosure and bug bounty programs on the public internet.
disclose.io/programs
Platforms
A community-powered collection of every known bug bounty, VDP, and crowdsourced security platform.
disclose.io/platforms
Threats
An ongoing archive of legal threats made against researchers acting in good faith.
disclose.io/threats
Upcoming Dates
ICS feed
A subscribable calendar of policy deadlines, comment periods, and disclosure milestones.
dates.disclose.io/upcoming-dates.ics
Community
community.disclose.io
The open forum, where finders, builders, CERTs, and facilitators actually talk.
community.disclose.io
Contact
Questions, suggestions, or want to start a disclose.io project?
disclose.io/contact
Our own VDP
disclose.io practises what it publishes. Report an issue in our own stack here.
disclose.io/security
Reading
blog.disclose.io
Running With Scissors — commentary, plus the weekly PolicyPulse signal.
blog.disclose.io
Newsletter
PolicyPulse and long-form disclosure-policy writing, delivered.
discloseio.substack.com
history.disclose.io
The Archeology of Safe Harbor — a sourced, falsifiable history of where the terms came from.
history.disclose.io
Disclosure timeline
Major events in the standardization of vulnerability reporting and disclosure.
disclose.io/history
links.disclose.io
socials only
The short link-in-bio page — every social account in one hop.
links.disclose.io
Install
dio-lookup (npm)
Pipe internet assets into lookup.disclose.io and get security contacts back as JSONL. Built for recon pipelines.
www.npmjs.com/package/dio-lookup
MCP server (hosted)
Point any MCP client at this endpoint and your agent can resolve security contacts. Listed in the official MCP registry as io.github.disclose/lookup-disclose-io.
lookup.disclose.io/mcp
Caido plugin
Right-click any host in Caido to resolve its security-disclosure contact.
github.com/disclose/caido-lookup
Nuclei templates
Enrich every host Nuclei scans with the security contact responsible for it.
github.com/disclose/nuclei-templates
Contact
hello@disclose.io
General enquiries, ideas, and new project proposals.
mailto:hello@disclose.io
security@disclose.io
Report a vulnerability in disclose.io's own infrastructure.
mailto:security@disclose.io
Open source
diodb
superseded by directory.disclose.io
Open-source vulnerability disclosure and bug bounty program database
Python · 1,073 stars
bug-bounty-platforms
A community-powered collection of all known bug bounty platforms, vulnerability disclosure platforms, and crowdsourced security platforms currently active on the Internet.
HTML · 1,068 stars
research-threats
Collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong. A continuation of work started by @attritionorg
CSS · 327 stars
dioterms
Open-source vulnerability disclosure policy templates.
70 stars
dnssecuritytxt
A standard allowing organizations to nominate security contact points and policies via DNS TXT records.
35 stars
diosts
A Go scraper that validates security.txt files and outputs them in the disclose.io JSON format.
Go · 23 stars
website
The current website at https://disclose.io.
HTML · 19 stars
policymaker
A free, open-source, multi-lingual, template-based VDP policy, safe harbor clause, securitytxt, and DNS Security TXT generator.
Vue · 16 stars
dioseal
The Disclose.io Status best practice seal.
7 stars
burp-lookup
Burp Suite extension: look up security-disclosure contacts for any host via lookup.disclose.io
Java · 1 star
caido-lookup
Caido plugin: look up security-disclosure contacts for any host via lookup.disclose.io
TypeScript · 1 star
chrome-extension-v2
disclose.io browser extension — surfaces VDP / safe harbor / disclosure maturity for the current site, polled live from directory.disclose.io.
TypeScript · 0 stars
dio-lookup
Pipe internet assets to lookup.disclose.io and get security-disclosure contacts as JSONL — built for recon pipelines.
TypeScript · 0 stars
history.disclose.io
The Archeology of Safe Harbor — a sourced history of the disclose.io terms · https://history.disclose.io
HTML · 0 stars
nuclei-templates
disclose.io Nuclei enrichment templates — resolve the security-disclosure contact for every host you scan (via lookup.disclose.io)
0 stars
state-of-disclosure
A living one-page snapshot of the disclose.io ecosystem — ~27,500 organisations mapped against the maturity model, the threats archive, the platforms registry, and the full disclose.io stack.
TypeScript · 0 stars
vuln-disclosure-history
History of vulnerability disclosure
0 stars
zap-lookup
OWASP ZAP add-on: right-click a host to find its security-disclosure contact via lookup.disclose.io (the open-source-proxy sibling of the Burp & Caido plugins)
Java · 0 stars