About This Project

disclosure.org.za is a public directory that tracks which JSE-listed South African companies have vulnerability disclosure programs (VDPs), security.txt files, and responsible disclosure policies.

Why does this matter?

A vulnerability disclosure program gives security researchers a safe, legal way to report security issues to an organization. Without one, researchers who discover flaws have no clear path to report them — and companies may never learn about critical vulnerabilities until they are exploited.

The security.txt standard (RFC 9116) provides a machine-readable way for organizations to publish their security contact information at /.well-known/security.txt.

How it works

We maintain a list of JSE-listed companies and their known domains. A scanner runs monthly and checks each domain for common indicators of a vulnerability disclosure program:

• /.well-known/security.txt and /security.txt
• Dedicated security or disclosure pages (/security, /responsible-disclosure, etc.)
• Bug bounty program pages
• Manual entries for policies at non-standard locations

Classification

Each company is classified with a simple binary result:

• Yes — A security.txt, disclosure policy page, or manual entry was found
• No — No disclosure program detected

Multiple domains

Many companies operate under multiple domains (e.g. a group domain and a consumer-facing domain). The scanner checks all known domains for each company and uses the best result. If a policy is found on any domain, it counts for the company.

Manual overrides

Some companies publish their disclosure policies at non-standard paths that the automated scanner can't reliably detect. We maintain a manual override list for these cases. Manual entries are clearly marked in the directory.

Limitations

This scanner is passive and non-intrusive — it only makes standard HTTP GET/HEAD requests to publicly accessible URLs. It does not perform any security testing. False positives and negatives are possible; a company may have a disclosure program that the scanner didn't detect.

Features

• Full-text search across company names, tickers, domains, and sectors
• Filter by disclosure status (Yes / No)
• Filter by industry sector
• Sort by name or disclosure status
• Detailed company view
• security.txt content preview
• Direct links to discovered policies
• Export filtered results to CSV
• Shareable deep links to companies and filtered views
• Copy company info to clipboard
• Keyboard navigation (/ to search, Esc to close)
• Fully responsive mobile layout
• Print-friendly view
• SEO optimized with structured data
• Accessibility (ARIA labels, keyboard support)
• Statistics dashboard with grade distribution
• Multi-domain support per company
• Manual override integration
• Soft-404 detection in the scanner
• Content relevance scoring
• Back to top button
• URL-based state persistence

Contributing

Know a company that has a disclosure program we missed? Found an incorrect entry? Contributions are welcome — submit a pull request or open an issue on GitHub.