Your security3managed.
Run vulnerability disclosure without the chaos.
By joining, you agree to our Privacy Policy.
IDOR on /api/orders exposes other tenants
Needs review · maya@researcher.io
“I can hack your site for $$$”
Auto-closed · noreply@spam.xyz
Stored XSS in the review field
Client-notified · priya@0xteam.dev
S3 bucket lists object keys publicly
In progress · tom@vidal.sh
Disclosr agent
Reproduced the IDOR on /api/orders and rated it High. Reference DSC-4192, 30-day window. Safe harbor applies.
A whole disclosure program.
None of the work.
One inbox, not your team's
Every report arrives by form or email and lands on us. Publish your program in a day.
Company name
Primary domain
Security contact
The noise closes itself
Spam and duplicates are triaged and dropped before a person ever looks.
Real safe harbor, signed off
Good-faith research is protected, and nothing reaches your devs until a person confirms it.
Authorized & protected
If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized, work with you to understand and resolve the issue quickly, and recognize your contribution.
We will not recommend or pursue legal action related to your research, provided you comply with the guidelines set out here.
security.txt & policy
Generated and published under your name.
disclosr.com/policy/acme
Vulnerability Disclosure Policy
Acme Retail values the work of researchers in keeping our users safe. This policy describes what is covered and how to report.
Safe Harbor
We consider good-faith research conducted under this policy authorized, lawful, and exempt from restrictions in our Terms of Service that would interfere with security research. We will not pursue legal action for accidental, good-faith violations.
Lands where you work
Private by default
Your data never leaves your control.
Tell us your company. We manage your whole program.
Set up your program
Company name
Primary domain
Security contact
In scope
You’ll publish
security.txt
RFC 9116, at /.well-known/
Policy page
hosted under your name
Safe-harbor terms
disclose.io Core Terms
Worth asking.
Because the vulnerabilities already exist. Researchers and attackers are already testing your product, and the only real question is whether the next person to find a flaw has a safe, legal way to tell you, or is left to disclose it publicly or quietly sell it. Without a policy those reports land in a personal inbox, a support queue, or a tweet, and get lost. A VDP gives every reporter one authorized front door, an instant acknowledgment, and a reference number. It is also increasingly expected: the EU Cyber Resilience Act and NIS2 assume a coordinated disclosure process, and enterprise security reviews ask for one directly. And the safe harbor at its core is what keeps good-faith researchers working with you instead of around you. It is the baseline every mature security program starts from, and bounties are optional on top.