Security & coordinated disclosure

Reporting a vulnerability

Email security@disclosurefeed.com. Our PGP key is published at /.well-known/disclosurefeed-pgp.asc and referenced from /.well-known/security.txt.

Service-level commitments

• Acknowledgement within 24 hours
• Coordinated-disclosure window: up to 90 days from acknowledgement
• Public credit on this page (with researcher's consent)

Scope

In-scope assets:

• disclosurefeed.com, app.disclosurefeed.com, api.disclosurefeed.com, docs.disclosurefeed.com, taxii.disclosurefeed.com
• Our public TAXII 2.1 collection
• The DisclosureFeed extraction pipeline (prompt-injection reports welcome)

Out of scope:

• Third-party services we depend on (Anthropic, Cloudflare, Clerk, Stripe, Svix, etc.)
• Findings against the source regulator portals we fetch from
• Volumetric / DDoS testing

Safe harbor

We will not pursue legal action against good-faith research that complies with this policy. We ask researchers to:

• Avoid disrupting our service or other customers
• Avoid accessing or modifying customer data beyond what's necessary to demonstrate the issue
• Give us a reasonable window to remediate before public disclosure

Our own incident posture

DisclosureFeed eats its own dog food. If we experience a material security incident, we file a self-disclosure into the DisclosureFeed product itself (with source.type = self_disclosure) and publish a post-mortem within 14 days.

Acknowledgements

(Researchers credited here once the program receives valid reports.)