security-contact

star 17

Identify security contact points for organizations. Finds security.txt, bug bounty programs, and other verified disclosure channels.

ramimac By ramimac schedule Updated 3/2/2026
play_arrow Run Skill in Manus View GitHub

name: security-contact description: Identify security contact points for organizations. Finds security.txt, bug bounty programs, and other verified disclosure channels. version: 1.0 author: ramimac argument-hint: [company_name_or_domain] tags: - security - disclosure - contacts - osint

Security Contact Finder

Purpose: Identify verified security contact points for responsible vulnerability disclosure.

Execution Mode

REQUIRED: Use parallel Task agents. Do NOT run scripts inline in the main conversation.

Step 1: Display Status

Display to user:

Finding security contacts for **<domain>**...

Use the domain provided by the user directly. Do not attempt to guess or resolve company names to domains.

Step 2: Parallel Discovery (background agents)

Spawn these checks in a SINGLE message with multiple Task calls, using the user-provided domain:

Task 1 (haiku): "Check security.txt for <domain>. Run: python3 scripts/check_security_txt.py <domain>. Return JSON result only."

Task 2 (haiku): "Check bug bounty databases for <domain>. Run: python3 scripts/check_bugbounty.py '<domain>'. Return JSON result only."

Task 3 (haiku): "Find security pages for <domain>. Run: python3 scripts/find_security_pages.py <domain>. Return list of found URLs only."

Task 4 (haiku): "WebSearch 'site:<domain> security contact email report vulnerability'. Extract any contact emails from results."

Task 5 (haiku): "Search for PSIRT contacts in industry directories:
  WebSearch 'site:first.org/members <company>'
  WebSearch 'site:cve.org <company> CNA partner'
Return: FIRST member status, PSIRT email if found, CNA status."

Step 3: Compile & Present

Wait for all agents to complete, then present final summary only:

## Security Contacts for <company>

### Recommended Disclosure Path
1. <best method>
2. <fallback>

### Verified Channels

| Channel | Details | Source |
|---------|---------|--------|
| Email | security@example.com | Trust Center |
| Bug Bounty | HackerOne (private) | Security Practices |
| security.txt | Contact: ... | /.well-known/security.txt |

Recency Rules:

  • If expiration.is_expired == true: Show "⚠️ security.txt is expired - contact info may be outdated"
  • If expiration.expires_soon == true: Show "⚠️ security.txt expires in X days"
  • If neither: Don't show recency warning

Output Rules

  • DO NOT show raw script JSON output in main conversation
  • DO NOT show WebFetch intermediate results
  • DO NOT show multiple tool calls visibly to user
  • ONLY display: initial status line, then final summary table
  • If no contacts found, say so clearly with "No verified contacts found"

No Guessing Policy

Only verified contacts:

  • ✓ security.txt with Contact field
  • ✓ Program in bug bounty database
  • ✓ Contact extracted from page via WebSearch
  • ✓ PSIRT/FIRST member contacts

Not included:

  • ✗ Guessed email patterns (security@, psirt@)
  • ✗ Generic contact forms
  • ✗ Social media
Install via CLI
npx skills add https://github.com/ramimac/unprompted --skill security-contact
Repository Details
star Stars 17
call_split Forks 5
navigation Branch main
article Path SKILL.md
More from Creator
ramimac
ramimac Explore all skills →