Tools

The disclose.io project ships four tools — each free, each open-source, each addressing a specific friction in the vulnerability disclosure pipeline.

Policymaker

policymaker.disclose.io — Interactive policy generator

Generates a customized vulnerability disclosure policy (VDP) for any organization using the canonical legal terms from the disclose.io Framework. Pick a maturity level, fill in the organization name and contact channel, and walk away with safe-harbor language, a security.txt file, and a complete disclose.io-compliant policy.

Lookup

lookup.disclose.io — Security contact attribution

Turn any input — domain, IP, URL, email, ASN, npm package, mobile app, hardware product, free-text company name — into the right disclosure contact. The tool chains 11 attribution strategies (security.txt, the Directory, WHOIS, DNS SOA, common security@ aliases, bug bounty platform records, and more) and returns the highest-confidence contact with provenance. Available as a web UI, HTTP API, and MCP server.

Vault

vault.disclose.io — Cryptographically enforced disclosure deadlines

A dead-man’s-switch for vulnerability disclosure. A researcher commits a disclosure with a future publication date; the disclosure is encrypted with a timelock that cannot be bypassed, even by the operators of the vault. On expiry, the disclosure becomes publicly readable — regardless of what happens to anyone involved.

Browser extension

Chrome extension (also referenced as the Disclose extension)

Surfaces the disclose.io directory’s VDP posture for any site you visit — see at a glance whether the organization has a published VDP, what their safe-harbor language is, and where to report a vulnerability.

Browse the source

Every tool is open-source under the github.com/disclose organization. Contributions, issue reports, and policy improvements all welcome.