disclose.io

1.1K posts

disclose.io

@disclose_io

Free open-source tools to standardize, normalize, promote, and protect good-faith security research.

The Internet Katılım Nisan 2018

891 Takip Edilen2.9K Takipçiler

disclose.io@disclose_io·1d

Hackers on the Hill — June 16, US Capitol. Researchers and Hill staff, same room. Real 1:1 office briefings. No vendors. No shilling. If you build or break things for a living, the policy folks should hear it from you. Register: hackersonthehill.org/us-2026

English

disclose.io retweetledi

cje@caseyjohnellis·4d

i'm seeing way, way more of these popping up over the past weeks/months, so i wanted to remind folks of some resources out there: - lookup.disclose.io (full reverse lookup w/ chaining and fallback contacts... MCP-enabled) - directory.disclose.io (~30,000 program directory w/ grading against @disclose_io maturity/safety model) - community.disclose.io (forum with folks willing to help make connections)

GIF

Tanner@wbmmfq

okay infosec twitter, I need some help. I came across an S3 bucket that has at least a million files of the insides of houses - some being lived in. i can't find a VDP for the company anywhere. what the fuck do i do?

English

5.6K

disclose.io@disclose_io·6d

Policy Pulse #14: UK AISI and Ireland's NCSC line up behind Project Glasswing. CyberUp ranks UK behind US, France, AU on researcher protection. CISA adds CVE-2026-31431 to KEV. blog.disclose.io/policy-pulse-i…

English

disclose.io@disclose_io·4 May

Policy Pulse #13. AISI's GPT-5.5 eval confirms frontier-model offensive cyber is a trend, not a Mythos one-off. NIST drops enrichment for ~29,000 CVEs. UK is the only major western economy with no statutory defence for cyber pros. blog.disclose.io/policy-pulse-i…

English

disclose.io retweetledi

Tarjei Mandt@kernelpool·1 May

Remember the time when everyone reported this stuff for free?

Looben Yang@loobeny

@GoogleVRP AI totally changed vulnerability research/ bug hunting. The Chrome VRP is officially dead. The reward amount is 10x less.

English

8.9K

disclose.io@disclose_io·27 Nis

If you've received a cease-and-desist for security research, you're not alone. Cases that become public are the evidence base for CFAA reform and safe-harbor adoption. Lawyer first. Public record later, if you choose: blog.disclose.io/disclose-io-th…

English

disclose.io@disclose_io·26 Nis

Policy Pulse #12: 13 new CVEs hit CISA's KEV catalog in 5 days. UK AISI publishes the first government evaluation of a frontier model's offensive cyber capabilities. CISA doesn't have access. blog.disclose.io/policy-pulse-i…

English

disclose.io retweetledi

Daniel Cuthbert@dcuthbert·22 Nis

A brilliant read by @ZephrFish on bullying LLMs at scale to find bugs. He delves into hallucinations and validation and also kindly did a hat tip to RAPTOR blog.zsec.uk/bullyingllms/ Well worth a hot drink and your time

English

4.1K

disclose.io retweetledi

Daniel Cuthbert@dcuthbert·9 Nis

Claude and @phrack and @calif_io are just amazing blog.calif.io/p/mad-bugs-fee…

English

2.4K

disclose.io retweetledi

Daniel Cuthbert@dcuthbert·3 Nis

Well that’s a story in itself

English

1.6K

disclose.io retweetledi

Tarjei Mandt@kernelpool·3 Nis

Ultimately the bar for finding bugs will become higher

Gadi Evron@gadievron

Holy wow! The Linux kernel is the clearest example on the democratization of vulnerability research using LLMs, and how effective it is.

English

4.7K

disclose.io@disclose_io·29 Mar

The CVE program's funding crisis is "resolved" -- by a mystery contract with a mystery number. Plus lookup.disclose.io goes live in beta. Policy Pulse #8: blog.disclose.io/policy-pulse-i… #CVE #InfoSec

English

124

disclose.io@disclose_io·22 Mar

Policy Pulse #7 is live — NIST SSDF 1.2 due March 31, CIRCIA stalled by DHS shutdown, Langflow CVE exploited in 20hrs, and SRLDF expands its board. blog.disclose.io/policy-pulse-i…

English

169

disclose.io@disclose_io·20 Mar

Joining the Security Research Legal Defense Fund Board m.disclose.io/4stjKgG

English

disclose.io retweetledi

Charlie Miller@0xcharlie·6 Mar

This is one of many reasons I only looked for bugs in major products because then you have some leverage with going public in case things go south.

Ryan Naraine@ryanaraine

🤯 Quarkslab spent five months trying to report vulns to security vendor Avira/Gen Digital but hit a deadlock because Gen Digital would only accept reports through their bug bounty platform (which required an NDA), so Quarkslab eventually just emailed the report and published after 90 days. This timeline explains the madness blog.quarkslab.com/avira-deserial…

English

10.5K

disclose.io retweetledi

Dan Guido@dguido·3 Mar

Big skill drop from @trailofbits today! Here are 10 new skills we publicly released from our internal repository: 🧵

English

450

72.5K

disclose.io@disclose_io·16 Şub

Policy Pulse #3: CISA orders unsupported edge devices eliminated, MITRE CVE contract 30 days from expiring, UK advancing statutory defence for researchers, and 3/4 of researchers report facing threats. blog.disclose.io/policy-pulse-i…

English

124

disclose.io@disclose_io·10 Şub

Federal contractor VDP mandate advancing to Senate. 29% of exploited vulns attacked on or before CVE publication day. Policy Pulse covers the biggest shift in disclosure policy this year: blog.disclose.io/policy-pulse-i…

English

495

disclose.io retweetledi

bugcrowd@Bugcrowd·10 Şub

3️⃣ Silence is one of the biggest risks. A shocking 65% of hacker findings never reach defenders. Many hackers choose not to report bugs due to unclear or unsafe disclosure paths. ✅Why it matters: If reporting feels risky or pointless, critical issues stay hidden from those who can fix them.

English

107

disclose.io retweetledi

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·21 Oca

All web3 bug bounty people please read: discernibleinc.com/blog/3-counter… h/t @iMeluny

English

592

Keşfet

@ZephrFish @phrack @calif_io @trailofbits @iMeluny @elonmusk @BarackObama @taylorswift13