Your security3managed.

Run vulnerability disclosure without the chaos.

By joining, you agree to our Privacy Policy.

app.disclosr.com/inbox
Inboxsorted by severity
DSC-4192High

IDOR on /api/orders exposes other tenants

Needs review · maya@researcher.io

DSC-4191Spam

“I can hack your site for $$$”

Auto-closed · noreply@spam.xyz

DSC-4187High

Stored XSS in the review field

Client-notified · priya@0xteam.dev

DSC-4183Medium

S3 bucket lists object keys publicly

In progress · tom@vidal.sh

Disclosr agent

Not spamNot a duplicateSeverity: High0.86

Reproduced the IDOR on /api/orders and rated it High. Reference DSC-4192, 30-day window. Safe harbor applies.

ApproveEdit
IntakeTriageValidateDeduplicatePrioritizeRouteRespondCloseIntakeTriageValidateDeduplicatePrioritizeRouteRespondClose

A whole disclosure program.
None of the work.

One inbox, not your team's

Every report arrives by form or email and lands on us. Publish your program in a day.

Set up your program123

Company name

Acme Retail

Primary domain

acme.com

Security contact

security@acme.com
Reporting inbox reports-acme@disclosr.inbox
Publish

The noise closes itself

Spam and duplicates are triaged and dropped before a person ever looks.

Real safe harbor, signed off

Good-faith research is protected, and nothing reaches your devs until a person confirms it.

Authorized & protected

If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized, work with you to understand and resolve the issue quickly, and recognize your contribution.

We will not recommend or pursue legal action related to your research, provided you comply with the guidelines set out here.

security.txt & policy

Generated and published under your name.

disclosr.com/policy/acme

Vulnerability Disclosure Policy

Acme Retail values the work of researchers in keeping our users safe. This policy describes what is covered and how to report.

Safe Harbor

We consider good-faith research conducted under this policy authorized, lawful, and exempt from restrictions in our Terms of Service that would interfere with security research. We will not pursue legal action for accidental, good-faith violations.

Lands where you work

Private by default

Your data never leaves your control.

Tell us your company. We manage your whole program.

app.disclosr.com/onboarding

Set up your program

1CompanyScopePublish

Company name

Acme Retail

Primary domain

acme.com

Security contact

security@acme.com

In scope

*.acme.comMain web applicationPublic APIs
Reporting inbox reports-acme@disclosr.inbox

You’ll publish

security.txt

RFC 9116, at /.well-known/

Policy page

hosted under your name

Safe-harbor terms

disclose.io Core Terms

Worth asking.

Because the vulnerabilities already exist. Researchers and attackers are already testing your product, and the only real question is whether the next person to find a flaw has a safe, legal way to tell you, or is left to disclose it publicly or quietly sell it. Without a policy those reports land in a personal inbox, a support queue, or a tweet, and get lost. A VDP gives every reporter one authorized front door, an instant acknowledgment, and a reference number. It is also increasingly expected: the EU Cyber Resilience Act and NIS2 assume a coordinated disclosure process, and enterprise security reviews ask for one directly. And the safe harbor at its core is what keeps good-faith researchers working with you instead of around you. It is the baseline every mature security program starts from, and bounties are optional on top.