lookup.disclose.io — Security Contact Lookup
Beta<br>Results are deterministic but may still miss context. If something looks off or incomplete, please use the feedback widget after each search.<br>×
Security Contact Resolution
Find who to tell.
Enter any asset identifier and we'll find the right security contact for vulnerability disclosure.
Lookup
Try:<br>Domain<br>IP Address<br>GitHub Repo<br>npm Package<br>URL<br>Email<br>Organization<br>IPv6 Address<br>PyPI Package<br>ASN<br>CIDR Block<br>S3 Bucket<br>Container Image<br>Mobile App<br>Hardware<br>Browser Extension<br>Desktop App
Classifying input type...
Lookup failed
Results for
Attribution
Resolution Chain
Security Contacts
Data Sources
Was this helpful?<br> Yes<br> No
Send<br>Skip
Thanks for your feedback!
lookup.disclose.io is a security attribution lookup tool that helps security researchers find who owns digital assets and discover the best channels for reporting vulnerabilities. It supports 16 different input types and can automatically chain strategies together for deep attribution.
🚀 Quick Start
Web Interface
Enter any digital asset (domain, IP, package name, etc.) in the search box above
Click "Lookup" or press Enter
Review attribution and security contacts — primary channels first, fallbacks only if needed
CLI Interface
bun ~/Projects/lookup-disclose-io/cli.ts "cloudflare.com" --json
JSON API
curl -s https://lookup.disclose.io/api/lookup \<br>-H "Content-Type: application/json" \<br>-d '{"input":"cloudflare.com"}' | jq
MCP Server (for AI agents)
Streamable HTTP at https://lookup.disclose.io/mcp, or stdio via bun mcp.ts. See the API & MCP section below for client config.
📋 Supported Input Types
Automatic Detection
These are detected automatically - just enter them:
Type<br>Example<br>What it finds
Domain<br>cloudflare.com<br>security.txt, bug bounty programs, CERT contacts
URL<br>https://example.com/path<br>Same as domain, extracted automatically
IPv4<br>8.8.8.8<br>Network owner, abuse contacts, geolocation
IPv6<br>2001:db8::1<br>Same as IPv4
Email<br>[email protected]<br>Domain-based lookup
ASN<br>AS15169<br>Network registration data
CIDR<br>192.168.0.0/24<br>Network block ownership
With Prefixes
Use these prefixes for specialized lookups:
Type<br>Format<br>Example<br>What it finds
Package<br>npm:package<br>npm:express<br>Package maintainer, repository, security policy
Package<br>pypi:package<br>pypi:requests<br>PyPI package details and maintainer
Package<br>crates:package<br>crates:serde<br>Rust crate information
Repository<br>gh:org/repo<br>gh:nodejs/node<br>GitHub SECURITY.md, maintainer contacts
Mobile App<br>app:name<br>app:WhatsApp<br>App store contacts, developer info
Hardware<br>hw:model<br>hw:Cisco ASA 5505<br>PSIRT contacts, vendor info
Extension<br>ext:name<br>ext:uBlock Origin<br>Browser extension developer
Desktop App<br>desktop:name<br>desktop:Slack<br>Application vendor contacts
Cloud Resources
# Amazon S3 bucket<br>bucket-name.s3.amazonaws.com
# Azure blob storage<br>account.blob.core.windows.net
# Google Cloud Storage<br>bucket-name.storage.googleapis.com
🔗 Strategy Chaining
One of lookup.disclose.io's most powerful features is cross-strategy chaining - when one lookup leads to another automatically.
Example Chain: Package → Repository → Organization
npm:express<br>↓ (finds GitHub repository)<br>gh:expressjs/express<br>↓ (finds organization domain)<br>expressjs.com<br>↓ (finds security.txt)<br>security contacts found!
Real Chaining Example
Input: npm:lodash
Package Strategy : Queries npm registry → finds GitHub repo
Repository Strategy : Checks GitHub for SECURITY.md → finds organization
Website Strategy : Looks up organization domain → finds security.txt
Result : Complete attribution chain with multiple contact methods
📊 Understanding Results
Attribution Section
Organization : Who owns/controls the asset
Jurisdiction : Legal jurisdiction (country/state)
Confidence : How certain we are (High/Medium/Low)
Security Contacts
Contacts are split into two groups. Always try a Primary contact first; only escalate to Fallback if the primary channel is unreachable or unresponsive.
Primary — direct vendor channels:
Bug Bounty Programs (HackerOne, Bugcrowd, etc.)
security.txt contacts (RFC 9116 standard)
Repository SECURITY.md (GitHub/GitLab/Bitbucket disclosure)
DNS Security TXT (emerging standard)
PSIRT (vendor product security team)
Web form (vendor's published submission form)
Direct email (security@vendor, published vuln contact)
Fallback / escalation — generic, network-level, or jurisdictional:
Abuse contacts (WHOIS/RDAP — network-level, not vuln-level)
Convention emails (constructed security@domain, abuse@domain)
National CERTs (country-specific or EU CSIRTs Network)
Resolution Chain
Shows which strategies were used and how they connected:
Input: npm:lodash<br>├── Package Strategy (npm registry)<br>│ └── Found: github.com/lodash/lodash<br>├── Repository Strategy (GitHub)<br>│ └── Found: SECURITY.md + organization<br>└── Website Strategy (lodash.com)<br>└── Found: security.txt contacts
🎯 Common Use Cases
1. Web Application Assessment
# Start with the...