We’re excited to announce that lookup.disclose.io is now live in beta!
What is it?
lookup.disclose.io helps you find the right security contact for any asset — so you can report vulnerabilities to the right people, faster. Enter a domain, IP, URL, npm package, GitHub repo, or organization name, and it will resolve security contacts from multiple data sources including:
- security.txt (RFC 9116)
- disclose.io Database (1,500+ programs)
- Bug bounty platforms (HackerOne, Bugcrowd, etc.)
- WHOIS/RDAP registration data
- GitHub SECURITY.md files
- National CERTs as a fallback
It supports 16 input types with cross-strategy chaining — a package lookup can chain to its repo, which chains to the org’s domain, which finds security.txt.
Try it out
Head to lookup.disclose.io and try some lookups:
cloudflare.comnpm:expressgh:facebook/react1.1.1.1
You can also deep-link directly: lookup.disclose.io?q=cloudflare.com
We need your feedback
This is a beta release and we’d love your help making it better. Things we’re especially interested in:
- Missing contacts — Did a lookup miss a known security contact?
- Wrong attribution — Did it identify the wrong organization?
- New input types — What else should it support?
- General UX — Is the interface clear and useful?
You can send feedback directly from the site (there’s a link in the beta banner), or open a GitHub issue.
The project is fully open source: github.com/disclose/lookup.disclose.io
Looking forward to hearing what you think!