## https://sploitus.com/exploit?id=59AFB9C3-73FC-5D39-A03B-3E3E7DC7E896
# coordinated-disclosure
A Claude Code skill + plugin marketplace for running coordinated vulnerability disclosure on open-source web apps β from first probe through patch delivery.
**What Claude can do with it:** probe non-destructively, verify every finding with discipline, write the GitHub Security Advisory via `gh api`, ship patches as `git format-patch` files when the advisory's temporary private fork is inaccessible, and do it all with typecheck + test gates before committing. Plus a pile of reusable techniques: SSRF error-shape oracle, rate-limit posture measurement, sanitiser-bypass harness with JSDOM strict check, version-fingerprint via content-echoing SSRF, living-target snapshot diffing.
## Install
### As a Claude Code plugin (recommended)
```
/plugin marketplace add shaxbozaka/coordinated-disclosure
/plugin install coordinated-disclosure@coordinated-disclosure
```
After install the skill appears in the registry and activates when a prompt matches the trigger description ("I have authorization to auditβ¦", "GHSA collaborator", "bug-bounty scope", etc.).
### Manually (no Claude Code plugin system)
```bash
mkdir -p ~/.claude/skills
git clone https://github.com/shaxbozaka/coordinated-disclosure ~/.claude/skills/coordinated-disclosure
```
Restart Claude Code. The skill now lives at `~/.claude/skills/coordinated-disclosure/SKILL.md` and Claude will pick it up at session start.
## When the skill activates
The `description` frontmatter triggers on any of:
- "I have authorization to audit {X}"
- "I'm listed as a collaborator on GHSA-β¦"
- "bug bounty scope for {program}"
- "CTF engagement on {host}"
- Any prompt mentioning responsible-disclosure / coordinated-disclosure workflow
- Stack keywords (Node, TypeScript, Next.js, Better-Auth, Drizzle, ORPC, tRPC, etc.) combined with a security-audit context
It's also invokable by name β just ask Claude to "use the coordinated-disclosure skill."
## What's inside
```
.claude-plugin/marketplace.json # plugin metadata
SKILL.md # core runbook (β225 lines, focused)
references/
poc-templates.md # 9 reusable probe snippets:
# 1 auth bootstrap
# 2 snapshot probe (living-target)
# 3 rate-limit posture measurement
# 4 SSRF error-shape oracle
# 5 sanitiser-bypass harness (JSDOM strict)
# 6 security-headers audit
# 7 advisory edit loop (gh api)
# 8 patch-set export for advisory inlining
# 9 cleanup rituals
README.md
LICENSE # MIT
```
## Non-goals
- **Not a hacking guide.** Every pattern assumes explicit, written scope from the maintainer. No evasion techniques, no unauthorized targeting, no zero-day weaponisation.
- **Not a CVE knowledge base.** It doesn't enumerate specific vulns. It describes how to find and report them with discipline.
- **Not a replacement for funded pentest engagements.** A good runbook beats a shrugging improv session; it doesn't beat professional firms with tooling + threat intel.
## Why this exists
Most security-research content online is either "101-level list of OWASP bugs" or "obfuscated offensive tooling marketed as red-team." The gap in the middle β actually running a coordinated-disclosure engagement: verifying claims, writing a clean advisory, shipping patches when you don't have push access to the temporary private fork β is folklore you only learn by screwing it up once. This skill is that folklore, written down, with the specific command-line recipes that save you two hours per engagement.
## Contributing
PRs welcome, especially:
- Techniques for stacks not yet covered (Python/Django, Ruby/Rails, Go, Elixir, PHP)
- Additional payload libraries for sanitiser harnesses
- Platform-specific disclosure workflows (HackerOne, Bugcrowd, huntr, etc.)
- Better patterns for maintainer-communication timing
Please keep contributions **generic** β no references to specific products, engagements, or unpublished vulnerabilities. The goal is reusable methodology.
## License
MIT. Use it, fork it, ship it.
## Acknowledgements
Distilled from real coordinated-disclosure engagements where the wrong call cost time, trust, or both.