VulnScout is an independent security research organization that identifies and reports vulnerabilities in internet-facing systems, with a particular focus on under-resourced education, nonprofit, and government institutions. We believe security research is most useful when it produces actionable, well-coordinated disclosures — not headlines, not commercial leverage, and not bug-bounty arbitrage.
This page describes how we conduct our research, how we contact organizations with findings, and how you can verify that a disclosure you receive really came from us.
Who we are
VulnScout is a small team of security researchers. Our work follows the principles of coordinated vulnerability disclosure (CVD) as defined in ISO/IEC 29147 (Vulnerability Disclosure), ISO/IEC 30111 (Vulnerability Handling Processes), and the U.S. Cybersecurity and Infrastructure Security Agency’s Coordinated Vulnerability Disclosure Process. We prioritize respect, collaboration, and transparent communication with the organizations we contact.
What we do
We conduct internet-wide security research using widely available open-source vulnerability detection tooling. When we identify a likely vulnerability in a system that appears to belong to an in-scope organization, we:
- Perform only the minimum verification required to confirm the finding is real and exploitable in principle.
- Do not exploit findings beyond verification, exfiltrate data, attempt lateral movement, or take any action that could harm the affected system or its users.
- Triage internally to determine severity and the appropriate disclosure channel.
- Contact the affected organization through the most trustworthy channel available — a published
security.txt, a formal coordinated vulnerability disclosure program, a sector CSIRT or ISAC, or a previously-established relationship. Where no such channel exists, we attempt outreach to commonly-used security mailboxes such assecurity@,ciso@, orsoc@.
How to recognize an authentic VulnScout disclosure
A genuine disclosure email from VulnScout will:
- Originate from a
@vulnscout.comaddress — commonly the personal mailbox of one of our researchers, such asmatt@vulnscout.com— and pass SPF, DKIM, and DMARC validation onvulnscout.com. - Include the reporter’s real name in the signature.
- Link to this Coordinated Disclosure Policy page.
- Describe a specific vulnerability with enough detail for your team to triage it.
- Make no request for payment, compensation, or commercial engagement of any kind.
How to verify a disclosure
If you receive a disclosure email and want to confirm it came from us before acting on it, you can:
- Write to
security@vulnscout.com— our policy and verification mailbox — from a clean device and ask us to confirm the disclosure’s reference details. We initiate all contact via email; phone follow-up may occur once correspondence is established. - Cross-reference the sender’s claims against this page and our public presence at
vulnscout.com.
When in doubt, contact us through a channel you established independently — never rely solely on contact information embedded in the suspicious email itself.
Our principles
- Non-intrusive verification only. We do not exploit findings, exfiltrate data, or move laterally.
- No compensation, paid services, or commercial engagement is requested, accepted, or solicited in exchange for our disclosures.
- No public disclosure of organization-specific findings. We do not publicly disclose vulnerabilities affecting your specific systems — with or without your organization’s name attached — under any timeline. Our role is to support remediation, not to apply public pressure. If direct contact attempts fail despite reasonable effort, we may route a private hand-off to a relevant CSIRT or sector ISAC (e.g., CISA Coordinator Services, MS-ISAC, REN-ISAC) for assistance; the disclosure remains private to those entities and to you. If at any point you wish to share details about a remediation case publicly — for example, as a case study at a security conference — we will only do so with your prior written consent.
- Aggregate research may be shared. We may publish anonymized, aggregate findings — class-of-vulnerability prevalence, trends across the internet, or methodology notes — at security conferences and in written research. Such work never names, attributes, or identifies your organization.
- Voluntary on both sides. Our reporting is voluntary; your engagement with us is voluntary. We do not set unilateral deadlines on our own response cadence, and we do not expect you to be bound by any we did not mutually agree to.
- Right to opt out. Any organization can be excluded from future scanning and reporting by emailing
security@vulnscout.comwith a list of IP ranges, hostnames, or ASNs to exclude.
Contact
- Email: security@vulnscout.com
This policy is current as of May 21, 2026 and is subject to revision. The current version always lives at this URL.