Finding the Bug Was Easy. Finding Who to Tell Is the Real Nightmare.

You’ve been there. You found the vulnerability. Maybe it took hours, maybe it took weeks. But you found it — an exposed database, a broken auth flow, an IDOR that lets you pull someone else’s tax records with a single URL change. You feel that rush. And then reality sets in: who the hell do I tell?

Because here’s what nobody outside the security community understands: the hardest part of responsible disclosure isn’t the disclosure. It’s the responsible part. It’s tracking down a security@ email that bounces. It’s finding a contact page that hasn’t been updated since 2019. It’s submitting a report to a bug bounty platform only to get a bot response 72 hours later asking you to rephrase your PoC.

The bug bounty ecosystem doesn’t have a vulnerability problem. It has a communication problem disguised as a vulnerability problem.

Enter Disclosure Lookup, a Caido plugin from the disclose.io project. It’s deceptively simple: it queries the disclose.io database right from your Caido proxy workflow and tells you where to send your finding. Security email, bug bounty program, PGP key, policy URL — all of it, surfaced in seconds instead of the usual 40-minute scavenger hunt through WHOIS records, GitHub repos, and abandoned Twitter accounts.

Now, you might be thinking: that’s it? A lookup tool? Yes. And that’s exactly the point.

The security industry has spent years building increasingly sophisticated tools for finding vulnerabilities — fuzzers, scanners, AI-powered analyzers, entire platforms. But the pipeline that takes a vulnerability from found to fixed has a gaping hole right in the middle, and nobody wants to talk about it because it’s not a technical problem. It’s an organizational one.

We built machines that can find a zero-day in milliseconds, but we still rely on guessing email addresses to report it.

Think about what happens when a researcher can’t find a disclosure channel. Some give up — the report never gets filed, the vulnerability sits there, and eventually someone less responsible finds it. Some go public, because after three weeks of silence from a company that doesn’t list a security contact anywhere, what else are you supposed to do? And some get threatened with legal action because they dared to look for a way to contact the right people.

Every one of these outcomes is a failure. Not of the researcher. Not of the technology. Of the ecosystem.

The disclose.io project has been quietly building a database of disclosure policies and contacts for years — a public good maintained by volunteers who understood that the friction in disclosure isn’t a bug, it’s a design failure. The Caido plugin is just the latest access point: it brings that database directly into the tool researchers are already using, so the moment you spot something suspicious in your traffic, you’re two clicks away from knowing exactly where it needs to go.

The real vulnerability isn’t in the code. It’s in the gap between the person who finds it and the person who can fix it.

For open-source maintainers, this matters doubly. You’re already stretched thin, managing issues, PRs, and the occasional security report that lands in your personal inbox because your project doesn’t have a SECURITY.md file. Disclosure Lookup helps researchers find the right channel — which means fewer reports landing in the wrong place, fewer frustrated researchers going public prematurely, and fewer maintainers blindsided by a CVE they never heard about.

Is a Caido plugin going to fix the broken disclosure ecosystem? No. The ecosystem needs policy changes, legal protections for researchers, and a cultural shift where companies treat security reports as gifts rather than threats. But what this plugin does is something more immediate and more honest: it removes one layer of friction from a process that has too many. It says, we know this is hard, so let’s make it slightly less hard.

Sometimes the most impactful tools aren’t the ones that find the problems. They’re the ones that make sure the problems actually get heard.

Because a vulnerability nobody can report isn’t a vulnerability waiting to be fixed. It’s a vulnerability waiting to be exploited.

FAQ

Q: Isn't this just a database lookup? Why is this a big deal?

A: It is just a lookup — and that's exactly the indictment. The fact that a simple contact database is genuinely useful to researchers means the disclosure infrastructure is so broken that basic discoverability is a feature gap. The tool is simple. The problem it solves is systemic.

Q: What does this mean for me if I'm not a bug bounty hunter?

A: If you maintain any software, run a website, or manage infrastructure: make sure you're in the disclose.io database with a working security contact. If researchers can't find you, they can't warn you — and the next person who finds your vulnerability might not be looking to help.

Q: Doesn't this just enable more people to poke around systems they shouldn't?

A: No. The people who would exploit a vulnerability don't need a disclosure plugin — they need silence. This tool serves the people trying to do the right thing and getting blocked by missing contact info and bouncing emails. Blaming a lookup tool for enabling hackers is like blaming 911 for enabling crime.

📎 Source: View Source