lookup.disclose.io is a security attribution lookup tool that helps security researchers find who owns digital assets and discover the best channels for reporting vulnerabilities. It supports 16 different input types and can automatically chain strategies together for deep attribution.
🚀 Quick Start
Web Interface
- Enter any digital asset (domain, IP, package name, etc.) in the search box above
- Click "Lookup" or press Enter
- Review attribution and security contacts — primary channels first, fallbacks only if needed
CLI Interface
bun ~/Projects/lookup-disclose-io/cli.ts "cloudflare.com" --json
JSON API
curl -s https://lookup.disclose.io/api/lookup \
-H "Content-Type: application/json" \
-d '{"input":"cloudflare.com"}' | jq
MCP Server (for AI agents)
Streamable HTTP at https://lookup.disclose.io/mcp, or stdio via bun mcp.ts. See the API & MCP section below for client config.
📋 Supported Input Types
Automatic Detection
These are detected automatically - just enter them:
| Type |
Example |
What it finds |
| Domain |
cloudflare.com |
security.txt, bug bounty programs, CERT contacts |
| URL |
https://example.com/path |
Same as domain, extracted automatically |
| IPv4 |
8.8.8.8 |
Network owner, abuse contacts, geolocation |
| IPv6 |
2001:db8::1 |
Same as IPv4 |
| Email |
[email protected] |
Domain-based lookup |
| ASN |
AS15169 |
Network registration data |
| CIDR |
192.168.0.0/24 |
Network block ownership |
With Prefixes
Use these prefixes for specialized lookups:
| Type |
Format |
Example |
What it finds |
| Package |
npm:package |
npm:express |
Package maintainer, repository, security policy |
| Package |
pypi:package |
pypi:requests |
PyPI package details and maintainer |
| Package |
crates:package |
crates:serde |
Rust crate information |
| Repository |
gh:org/repo |
gh:nodejs/node |
GitHub SECURITY.md, maintainer contacts |
| Mobile App |
app:name |
app:WhatsApp |
App store contacts, developer info |
| Hardware |
hw:model |
hw:Cisco ASA 5505 |
PSIRT contacts, vendor info |
| Extension |
ext:name |
ext:uBlock Origin |
Browser extension developer |
| Desktop App |
desktop:name |
desktop:Slack |
Application vendor contacts |
Cloud Resources
# Amazon S3 bucket
bucket-name.s3.amazonaws.com
# Azure blob storage
account.blob.core.windows.net
# Google Cloud Storage
bucket-name.storage.googleapis.com
🔗 Strategy Chaining
One of lookup.disclose.io's most powerful features is cross-strategy chaining - when one lookup leads to another automatically.
Example Chain: Package → Repository → Organization
npm:express
↓ (finds GitHub repository)
gh:expressjs/express
↓ (finds organization domain)
expressjs.com
↓ (finds security.txt)
security contacts found!
Real Chaining Example
Input: npm:lodash
- Package Strategy: Queries npm registry → finds GitHub repo
- Repository Strategy: Checks GitHub for SECURITY.md → finds organization
- Website Strategy: Looks up organization domain → finds security.txt
- Result: Complete attribution chain with multiple contact methods
📊 Understanding Results
Attribution Section
- Organization: Who owns/controls the asset
- Jurisdiction: Legal jurisdiction (country/state)
- Confidence: How certain we are (High/Medium/Low)
Security Contacts
Contacts are split into two groups. Always try a Primary contact first; only escalate to Fallback if the primary channel is unreachable or unresponsive.
Primary — direct vendor channels:
- Bug Bounty Programs (HackerOne, Bugcrowd, etc.)
- security.txt contacts (RFC 9116 standard)
- Repository SECURITY.md (GitHub/GitLab/Bitbucket disclosure)
- DNS Security TXT (emerging standard)
- PSIRT (vendor product security team)
- Web form (vendor's published submission form)
- Direct email (security@vendor, published vuln contact)
Fallback / escalation — generic, network-level, or jurisdictional:
- Abuse contacts (WHOIS/RDAP — network-level, not vuln-level)
- Convention emails (constructed security@domain, abuse@domain)
- National CERTs (country-specific or EU CSIRTs Network)
Resolution Chain
Shows which strategies were used and how they connected:
Input: npm:lodash
├── Package Strategy (npm registry)
│ └── Found: github.com/lodash/lodash
├── Repository Strategy (GitHub)
│ └── Found: SECURITY.md + organization
└── Website Strategy (lodash.com)
└── Found: security.txt contacts
🎯 Common Use Cases
1. Web Application Assessment
# Start with the domain
example.com
# Check subdomains
api.example.com
admin.example.com
# Look up IP ranges
203.0.113.0/24
2. Package Vulnerability Research
# Check the package
npm:vulnerable-package
# Trace to source
gh:org/vulnerable-package
3. Infrastructure Assessment
# Check the main service
service.company.com
# Look up hosting
8.8.8.8
# Check cloud resources
bucket.s3.amazonaws.com
4. Mobile App Security Research
# Start with the app
app:Instagram
# Check the organization
Meta
# Look up corporate domains
meta.com
💡 Pro Tips
- Start broad, then narrow: Begin with organization names or main domains, then drill down
- Chain manually: If auto-chaining doesn't find what you need, manually lookup related assets
- Check multiple inputs: Different input types may reveal different contacts
- Verify contacts: Always verify contact information is current before reporting
- Use --json for automation: CLI JSON output is perfect for scripts and tools
🔌 API & MCP
Same handler powers the web UI, the JSON API, and the MCP server, so behavior is identical across surfaces.
HTTP API
One endpoint: POST /api/lookup. Body: {"input": "<asset>"}.
curl -s https://lookup.disclose.io/api/lookup \
-H "Content-Type: application/json" \
-d '{"input":"cloudflare.com"}' | jq
The response includes attribution, contacts (sorted by confidence), chains, dataSources, and status. The contacts[].type field tells you whether each entry is a primary vendor channel or a fallback — primary types are bug_bounty, security_txt, dns_security_txt, vdp, psirt, web_form, and email; fallback types are abuse_contact, convention, and cert.
MCP Server
An MCP server is built in. AI agents (Claude Code, Claude Desktop, Cursor, etc.) can call it as a tool. Two transports — pick whichever fits your client.
Stdio (local agents — Claude Code, Cursor):
// .cursor/mcp.json or ~/.claude.json
{
"mcpServers": {
"lookup-disclose-io": {
"command": "bun",
"args": ["mcp.ts"],
"cwd": "/path/to/lookup.disclose.io"
}
}
}
Streamable HTTP (remote agents, hosted MCP, web tooling) at https://lookup.disclose.io/mcp — stateless, CORS open:
curl -s -X POST https://lookup.disclose.io/mcp \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"lookup_security_contact",
"arguments":{"asset":"cloudflare.com"}}}'
Tools exposed: lookup_security_contact (full lookup with structured + text output) and classify_asset (no-network type classifier). See the README for the full handshake and tool schemas.
🚨 Important Notes
- Always verify contacts - Information may be outdated
- Respect disclosure policies - Follow vulnerability disclosure practices
- Try Primary first, escalate to Fallback only if needed - National CERTs and convention emails are last-resort channels, not first-pick
- Convention emails (security@, abuse@) are marked as unverified
- Rate limits apply - Be respectful of external services