Responsible Disclosure

A trusted way to receive reports.

Give the world a safe, professional channel to report security issues to your team — without committing to a reward program.

Starts at
$500 / mo
hosted page + full triage included
Request Responsible Disclosure

No wallet top-ups. No hidden fees. Unlike other platforms, you never need to pre-load funds. The fee you pay is forwarded directly to the researcher — zero extra cost, zero platform markup on rewards.

Security researchers, customers, and even employees often want to report vulnerabilities — but most companies have no clear, safe way to receive them. A managed disclosure program gives them a trusted channel, gives you filtered and verified reports, and signals to the world that you take security seriously.

What you get

Built for results, not noise.

Hosted disclosure page

A professional, public security.txt + reporting page under your brand. Indexed and discoverable.

Single point of intake

All reports flow through one verified channel — no scattered emails, no missed messages.

Triage by our analysts

Every submission validated, deduplicated, and prioritized. Only verified, in-scope reports reach your team.

Safe harbor language

Standard, legally-vetted safe harbor terms so good-faith researchers feel safe reporting.

Clear policy & scope

We help you publish a clear scope, rules of engagement, and disclosure timeline.

No reward obligation

Disclosure is non-monetary by default. No wallet top-ups, no per-report fees — just a flat monthly platform fee.

Included

Everything in the box.

  • Hosted public disclosure page on your domain or ours
  • security.txt and contact metadata setup
  • Safe harbor policy template
  • Scope and rules-of-engagement document
  • Encrypted submission intake
  • Analyst triage and validation
  • Duplicate detection
  • Reporter communication handled by us
  • Verified reports forwarded to your team
  • Optional public hall-of-fame page
FAQ

Good to know.

How is this different from bug bounty?

Disclosure has no monetary reward — researchers report out of goodwill. Bug bounty pays for valid findings. Many companies start with disclosure and upgrade to bug bounty later.

Will we get spammed?

No. Our analysts triage every submission. Only verified, reproducible, in-scope reports are forwarded to your team.

Do we need to publicly acknowledge reporters?

Only if you want to. A hall-of-fame is optional. Some companies prefer to keep disclosure entirely private.

Is this required for compliance?

Increasingly yes — EU NIS2, ISO 27001:2022, and many sector regulators now expect a published vulnerability disclosure policy.

Ready to start?

Tell us about your scope and our team will reach out with the next steps.