Researcher-to-vendor disclosure platform

VAPT connects researchers and security teams with vendors through coordinated disclosure.

The platform combines structured vulnerability intake, private case coordination, public advisories, and CVE support when a case should receive an identifier. Pentest firms and independent researchers gain recognition, vendors get a faster path to remediation, and VAPT keeps the disclosure record coherent from intake to publication.

Request CVE Browse advisories

Public advisories05

Stable disclosure URLs and machine-readable CVE references.

Queued disclosures04

Private intake records awaiting triage or publication.

CVE supportLive

Identifier handling is available when a coordinated case should receive one.

Public advisories--

Stable disclosure URLs and machine-readable CVE references.

Queued disclosures--

Private intake records awaiting triage or publication.

CVE supportLive

Identifier handling is available when a coordinated case should receive one.

Mission flow

How VAPT turns a report into a public advisory.

01

Intake

Researchers submit a structured request with vendor, product, attack surface, evidence, disclosure timing, and a preliminary CVSS assessment.

02

Assessment

VAPT case teams validate scope, reproduce impact, check for duplicates, and coordinate directly with vendors on remediation and publication timing.

03

Publication

Public advisories publish with stable identifiers, remediation guidance, metrics, and schema-backed CVE record data.

Program pillars

Built for disclosure operations.

Public advisory location

Stable detail pages, severity telemetry, remediation state.

Each advisory has a canonical URL, structured metadata, and the technical depth needed for downstream reference and scraping.

Coordinated intake

Analyst-grade request capture with evidence and scoring.

The intake form captures attack context, affected components, MITRE and CWE mapping, verification flags, and disclosure notes.

CVE support

Identifier handling when a coordinated case should receive one.

The backend keeps CVE Services authentication, reserve and publish actions, and record construction on the server side when VAPT needs to support the disclosure with a CVE record.

Latest advisories

Advisory feed preview.

View all advisories

CRITICALApr 10, 2026

Session bootstrap token bypass in Nimbus Gateway administrative API

Nimbus Gateway accepted stale bootstrap session material on the administrative API, allowing remote attackers to regain privileged access without re-authentication.

IDCVE-2026-44001

EPSSN/A

CVSS9.4

Nimbus GatewayRead advisory

HIGHApr 10, 2026

Template renderer command injection in Orbit Mail maintenance jobs

A trusted maintenance workflow in Orbit Mail passed unsanitized template directives to a shell-backed renderer, leading to authenticated remote command execution.

IDCVE-2026-44002

EPSSN/A

CVSS8.6

Orbit Mail ApplianceRead advisory

LoadingUpdating

Loading advisory preview.

Fetching the latest published disclosure records for the homepage feed.

IDPending

EPSS--

CVSS--

Latest publication queueLoading