About this project

Why we track vulnerability disclosure

Disclosure.org.za is a public directory that tracks which South African companies have vulnerability disclosure programs (VDPs), security.txt files, and responsible disclosure policies.

Why it matters

A vulnerability disclosure program gives security researchers a safe, legal way to report security issues to an organisation. Without one, researchers who discover flaws have no clear path to report them, and companies may never learn about critical vulnerabilities until they are exploited.

The security.txt standard (RFC 9116) provides a machine-readable way for organisations to publish their security contact information at /.well-known/security.txt.

How it works

We maintain a list of South African companies and their known domains. A scanner runs monthly and checks each domain for common indicators of a vulnerability disclosure program:

  • /.well-known/security.txt and /security.txt
  • Dedicated security or disclosure pages (/security, /responsible-disclosure, etc.)
  • Bug bounty program pages
  • Manual entries for policies at non-standard locations

Classification

Each company is classified with a simple binary result:

  • Yes: a security.txt, disclosure policy page, or manual entry was found.
  • No: no disclosure program detected.

Multiple domains

Many companies operate under multiple domains (e.g. a group domain and a consumer-facing domain). The scanner checks all known domains for each company and uses the best result. If a policy is found on any domain, it counts for the company.

Manual overrides

Some companies publish their disclosure policies at non-standard paths that the automated scanner can't reliably detect. We maintain a manual override list for these cases. Manual entries are clearly marked in the directory.

Limitations

This scanner is passive and non-intrusive. It only makes standard HTTP GET/HEAD requests to publicly accessible URLs. It does not perform any security testing. False positives and negatives are possible; a company may have a disclosure program that the scanner didn't detect.

Contributing

Know a company that has a disclosure program we missed? Found an incorrect entry? Contributions are welcome: submit a pull request or open an issue on GitHub.

Open data and AI access

Open Data Endpoints

This platform is open source and publishes machine-readable exports for search engines, researchers, and AI scanners.

index.json disclosure-directory.csv disclosure-directory.ndjson stats.json llms.txt GitHub

Security.txt policy

Of course we have to have a security.txt policy. If you have any issues, email us at [email protected].

/.well-known/security.txt /security.txt