Security & coordinated disclosure

Reporting a vulnerability

Email [email protected]. Our PGP key is published at /.well-known/disclosurelens-pgp.asc and referenced from /.well-known/security.txt.

Service-level commitments

• Acknowledgement within 24 hours
• Coordinated-disclosure window: up to 90 days from acknowledgement
• Public credit on this page (with researcher's consent)

Scope

In-scope assets:

• disclosurelens.com, app.disclosurelens.com, api.disclosurelens.com, docs.disclosurelens.com, taxii.disclosurelens.com
• Our public TAXII 2.1 collection
• The DisclosureLens extraction pipeline (prompt-injection reports welcome)

Out of scope:

• Third-party services we depend on (Anthropic, Cloudflare, Clerk, Stripe, Svix, etc.)
• Findings against the source regulator portals we fetch from
• Volumetric / DDoS testing

Safe harbor

We will not pursue legal action against good-faith research that complies with this policy. We ask researchers to:

• Avoid disrupting our service or other customers
• Avoid accessing or modifying customer data beyond what's necessary to demonstrate the issue
• Give us a reasonable window to remediate before public disclosure

Our own incident posture

DisclosureLens eats its own dog food. If we experience a material security incident, we file a self-disclosure into the DisclosureLens product itself (with source.type = self_disclosure) and publish a post-mortem within 14 days.

Acknowledgements

(Researchers credited here once the program receives valid reports.)