Security & coordinated disclosure

Self-disclosure commitment

If DisclosureLens experiences a material security incident — anything that would be a notifiable breach under any of the regimes we index — we file the incident into the DisclosureLens product itself with source.type = self_disclosure, on the same timeline and with the same fields we hold the regulators we index to. A post-mortem is published within 14 days.

We've not had to invoke this. The commitment is documented in advance so that, if we ever do, no one has to argue about the format. The same record schema. The same ai_assisted flag. The same corrections@ SLA. The dashboard is the source of truth even when it's the subject.

Reporting a vulnerability

Email security@disclosurelens.com. Our PGP key is published at /.well-known/disclosurelens-pgp.asc and referenced from /.well-known/security.txt.

Service-level commitments

• Acknowledgement within 24 hours
• Coordinated-disclosure window: up to 90 days from acknowledgement
• Public credit on this page (with researcher's consent)

Scope

In-scope assets:

• disclosurelens.com, app.disclosurelens.com, api.disclosurelens.com, docs.disclosurelens.com, taxii.disclosurelens.com
• Our public TAXII 2.1 collection
• The DisclosureLens extraction pipeline (prompt-injection reports welcome)

Out of scope:

• Third-party services we depend on (Anthropic, Cloudflare, Clerk, Stripe, Svix, etc.)
• Findings against the source regulator portals we fetch from
• Volumetric / DDoS testing

Safe harbor

We will not pursue legal action against good-faith research that complies with this policy. We ask researchers to:

• Avoid disrupting our service or other customers
• Avoid accessing or modifying customer data beyond what's necessary to demonstrate the issue
• Give us a reasonable window to remediate before public disclosure

Acknowledgements

(Researchers credited here once the program receives valid reports.)