| Github | https://github.com/disclose |
| Get started… | https://linktr.ee/disclose |
| VDP Policy Generator | https://policymaker.disclose.io/ |
| Disclosure Assistance | https://community.disclose.io/c/hacker-connect/5 |
| Researcher Threats DB | https://threats.disclose.io |
Hey! We just updated https://platforms.disclose.io with 25+ new bug bounty & VDP platforms! 🎯
Notable additions:
• Web3: @Cantinaxyz @CodeHawks @CertiK @xyz_remedy
• Russia: @standoff365 @bizone
• Asia: @IssueHunt (Japan), @patchday_io (Korea), Butian (China)
The ecosystem keeps growing. Check out the full list: https://platforms.disclose.io
I reported 10 valid bugs including SQL Injection and account takeover to a company running a public bug bounty program. Initially, they acknowledged the reports and later fixed all the issues. But instead of rewarding or crediting me, they gave excuses and rejected them. Shortly after, they shut down their bug bounty program entirely. There’s no official body to protect bug hunters in such cases. If there is someone who can help me with this situation, please reply.
Hi all, I’ve come across what might be a coordinated domain spoofing or redirect scheme affecting multiple large companies in the real estate and homebuilding industry — including portals, brokerages, and mortgage players. This started when I noticed strange traffic behavior involving my own business, which led me to uncover several domains mimicking major industry brands or just lots of spoofed domains sitting on the same exact IP clusters. Many redirect to real corporate login pages or appea...
Risky Bulletin: Russian bill would require researchers to report bugs to the FSB 👀
https://risky.biz/risky-bulletin-russian-bill-would-require-researchers-to-report-bugs-to-the-fsb/
Ugh… It’s 2025 and vendors still don’t understand the Streisand-effect.
cc: @disclose_io (https://threats.disclose.io)
YouTuber with nearly 4M subscribers sued by lock company after he breaks into lock with just a can https://www.uniladtech.com/social-media/youtube/youtuber-trevor-mcnally-sued-lock-company-using-can-920271-20251028
🚨 Security Researchers: We need your input! 🚨
👀 NYU and Strathclyde University are studying researchers’ experiences with legal risks under US and UK law. Whether you’ve faced challenges, positive outcomes, or simply weighed the risks, we’d love to hear your story.
👉 Spare an hour or two? Reach out! All responses are anonymous, and we’ll address any concerns.
📣 Please share—your input could shape a better understanding of the legal landscape for researchers.
We’re doing a research project to document researchers’ lived experiences of legal risk under US and UK law. If you’ve experienced legal risks under US or UK law, and can spare an hour or two of your time, we may be interested in interviewing you. We’re interested in good experiences, bad experiences, and anything in between — including any experience where you had to think seriously about legal risks, even if nothing more came of it. Please reach out if you’d be open to speaking with us, or ha...
WASHINGTON — U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK), a member of the Senate Committee on Homeland Security & Governmental Affairs, today announced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, legislation they will introduce to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST). Companion legislation, introduced in the House of Representatives, is being led by Rep. Nancy Mace (R-SC-01). Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Currently, civilian federal agencies are required to have VDPs, however there is no requirement for federal contractors – civilian or defense – to have VDPs for the information systems used in the fulfillment of their contracts. This legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors. “VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” said Sen. Warner. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.” “Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” said Sen. Lankford. Specifically the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would: Require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies; Require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same. This legislation is the latest step in Sen. Warner’s efforts to mitigate to damage of potential cybersecurity attacks. He has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner also co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022. “Palo Alto Networks applauds Senator Warner’s continued efforts to promote federal cyber resilience through the Federal Cybersecurity Vulnerability Reduction Act. This legislation has strong bipartisan support, and will benefit the entire cybersecurity ecosystem,” said Bruce Byrd, EVP and General Counsel of Palo Alto Networks. “This bipartisan legislation addresses a critical gap in our nation’s cybersecurity protections by bringing the practices of federal contractors in line with those of the agencies they serve and with guidelines issued by the National Institute of Standards and Technology,” said Ilona Cohen, Chief Legal and Policy Officer of HackerOne. “This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors. We applaud Senators Warner and Lankford for their leadership on this important issue.” A copy of the legislation is available here. A one-pager of the legislation is available here. ###
