01
Draft
Upload the PoC, write-up, affected versions, CVSS vector, CWE tags, screenshots, references, and mitigation notes.
Demo disclosure index
Vulnerability disclosures researchers control.
Prepare private disclosures, preserve vendor timelines, set embargoes, manage waiting periods, publish useful advisories, and surface reputation signals without giving vendors control over the workflow.
3
pending
2
published
2
ignored
Free
public feed
Release workflow
Timeframes are visible before publication.
Demo data updates locally.
Next release
--
Earliest pending disclosure window.
Waiting period
72h
Cancel, delay, modify, or delete.
Public archive
Permanent
Searchable unless removed by policy.
Public demo
Disclosures people can inspect
Filter live demo disclosures by status, severity, vendor, product, CWE, or reputation signal.
Lifecycle
The page should show how publication actually works.
This demo makes the core workflow visible: draft privately, set an embargo, enter a waiting period, retain researcher control, then publish automatically unless the researcher cancels or delays.
02
Embargo
Keep details private while the researcher coordinates externally with the affected vendor or maintainers.
03
Waiting period
After embargo expiration, the researcher still has a final window to cancel, delay, modify, or delete before release.
04
Public archive
The advisory becomes searchable, machine-readable, attributable, shareable, and available through public feeds.
Reputation
Researcher credit and vendor accountability belong in the product.
Reputation should be generated from public disclosure records, researcher-entered timelines, community feedback, evidence attachments, and moderation safeguards.
Researcher reputation
Verified reports, documentation quality, trusted reviews, contribution history, reproducibility, and public advisory quality.
Vendor reputation
Acknowledgement time, remediation time, ignored disclosures, disputes, payment issues, safe harbor quality, and researcher treatment.
Bug bounty transparency
Researcher-submitted feedback on report handling, duplicate handling, scope issues, payment reliability, and retaliation or bans.
Abuse controls
Moderation, evidence attachment, rate limits, anti-brigading controls, reputation weighting, reporting, and appeal workflows.
Useful by default
Structured pages, not vague announcements.
Every public page should serve researchers, defenders, nonprofits, journalists, incident responders, and the broader security community.
Technical record
PoC details, Markdown write-up, affected products, versions, platform tags, references, and advisory IDs.
Severity metadata
CVSS score, CVSS vector, severity rating, CWE tags, CPE/product tags, known exploitation, and patch availability.
Vendor behavior
Researcher-entered vendor outreach, acknowledgement, response quality, dispute status, remediation status, and payment issues.
Public feed
RSS, JSON, API access, webhooks, search indexing, and machine-readable vulnerability metadata without a paywall.
Before launch
Policies are part of the product.
A researcher-first disclosure platform needs clear rules for high-risk research, disputed claims, legal threats, malware handling, moderation, appeals, and researcher safety before public launch.
Coordinated disclosure policy
Researcher protection policy
Malware and PoC handling policy
Takedown and legal request policy
Moderation and appeal policy
Donation and payout policy
Open-source nonprofit build
Build the disclosure workflow in public.
This page is a functional demo shell: disclosure list, statuses, timeframes, filtering, selected advisory preview, reputation signals, waiting-period logic, and core product model.