ProofwrightWalkthrough

Standing up coordinated disclosure

security.txt, intake, triage, and researcher comms — the disclosure process the CRA expects.

Standing up a coordinated vulnerability disclosure process, so a researcher's report reaches the right inbox and gets a real answer. Related demos: The CRA incident-reporting clock and A CRA-grade patch process.

1

Publish security.txt

A machine-readable security.txt tells researchers where to report and how to reach you — the CRA expects a clear contact point, not a guess.

2

Take the report in

A dedicated intake channel captures each report with a reference, so nothing lands in a personal inbox and quietly dies.

3

Triage and validate

Reproduce, rate severity, and confirm which products and versions are affected — the same VEX decision your own monitoring uses.

4

Keep the researcher informed

Agree a disclosure timeline, credit the reporter, and coordinate the advisory so the fix and the public write-up land together.

this is Proofwright

It's live.

See the real thing at Proofwright.