Demo mode — all vendors, users, mitigations and reactions shown are seeded for demonstration. Do not treat as real disclosures. Closed beta launching soon. Learn more →

For Security Researchers — VIR Community

Sign in
For security researchers

Disclose responsibly. Get credit. Build a public record.

Coordinated disclosure routed to the right CNA. Public-credit attribution. Verified-researcher badge once your first finding is published.

Start a disclosure → Browse as guest
📨

Routed to the right CNA

Drop a vuln report. We figure out whether it goes to the vendor (Apple PSIRT, MSRC), upstream (kernel.org), GitHub Security, or directly to MITRE for CVE assignment. You stay in the loop.

Verified-researcher badge

After your first published disclosure, get a public ✓ Security Researcher badge that travels with you on every post.

🔐

PGP-signed disclosures

Sign your disclosure with your PGP key (or ours if you don't have one yet). Cryptographically provable provenance for every finding.

🏆

Public reputation

Disclosures, accepted mitigations, technical answers — all count toward your public rep. Recruit-worthy GitHub-style profile.

How it actually works

  1. 1
    Sign up + verify identity

    Magic-link sign-up with optional PGP key. Add your LinkedIn / GitHub / Twitter for cross-platform credibility.

  2. 2
    Submit your disclosure

    /m/disclose form. Describe the vuln, affected version range, impact, suggested mitigation. We figure out who to route it to.

  3. 3
    Coordinated handling

    CNA picks it up, assigns CVE-ID, vendor patches. You get email updates at each step. Embargo respected.

  4. 4
    Public-record disclosure

    When the embargo lifts, the CVE lands in VIR's catalogue. If you submitted mitigation guidance alongside your disclosure, that publishes under your name in the community-verified tier. CVE-level researcher credit is at the CNA's discretion — they decide the published advisory text. We surface whatever credits MITRE / NVD / the vendor ship.

Why we're different

  • Vendor-verified — Red Hat / Ubuntu / Microsoft / Cisco / Oracle security engineers (recognised by DNS-TXT + DKIM). When you see a gold ✓ badge, that person actually works there.
  • Audit-chained — every moderation decision is Ed25519-signed and hash-linked. Nothing edits silently.
  • No algorithm, no ads, no tracking — chronological, two cookies (session + theme), no third-party JS.
  • Your work goes somewhere real — approved mitigations land in VIR's canonical CVE database, attributed to you, alongside vendor advisories.

Ready when you are

Magic-link sign-in. No password unless you want one. One session cookie. Built for for security researchers.

Start a disclosure → See the workflow