Effective 5 July 2026 · applies to the "disclose.io" Chrome extension
The extension has one purpose: to show you, for the site you're currently on, whether it has a way to report security problems — a vulnerability disclosure program (VDP), safe harbor for researchers, and its disclosure-maturity level — using data from the disclose.io directory.
It reads: the registrable domain of your active tab — e.g. example.com — derived from the tab's URL.
It never reads or sends: the full URL, the path or query string, the page contents, your browsing history beyond the current tab's domain, your identity, or any account information. The extension has no login and no user account.
| When | Where | Method | What is sent |
|---|---|---|---|
| Automatically, when you switch to or navigate a tab | directory.disclose.io | GET | the registrable domain, to look up its disclosure status |
| Only when you click "Look this up" | lookup.disclose.io/api/lookup | POST | the registrable domain, to run a deeper security-contact lookup |
Both requests are anonymous: they carry no cookies, no credentials, and no identifier — only the domain and a static extension User-Agent string. Both endpoints are operated by the disclose.io Project, a nonprofit vulnerability-disclosure standardization effort. The domain is not sent to any other party, advertiser, or analytics service.
Results are cached locally on your device using Chrome's storage API, to avoid repeat network requests. This cache is not transmitted to disclose.io or anyone else, and is cleared when you remove the extension.
To operate and protect the directory and lookup services, disclose.io may log requests (including the queried domain and timestamp) per its own operational policy at disclose.io. These logs are used for service reliability and abuse prevention, not for advertising or profiling, and are not sold.
The automatic directory check runs only while the extension is installed; remove the extension to stop it entirely. The deeper lookup only ever runs when you explicitly click "Look this up."
Questions about this policy: security@disclose.io · source and issues: github.com/disclose/chrome-extension-v2.
We'll update this page and its effective date if the extension's data practices change.