name	security-contact
description	Identify security contact points for organizations. Finds security.txt, bug bounty programs, and other verified disclosure channels.
version	1
author	ramimac
argument-hint	["company_name_or_domain"]
tags	["security","disclosure","contacts","osint"]

Security Contact Finder

Purpose: Identify verified security contact points for responsible vulnerability disclosure.

Execution Mode

REQUIRED: Use parallel Task agents. Do NOT run scripts inline in the main conversation.

Step 1: Display Status

Display to user:

Finding security contacts for **<domain>**...

Use the domain provided by the user directly. Do not attempt to guess or resolve company names to domains.

Step 2: Parallel Discovery (background agents)

Spawn these checks in a SINGLE message with multiple Task calls, using the user-provided domain:

Task 1 (haiku): "Check security.txt for <domain>. Run: python3 scripts/check_security_txt.py <domain>. Return JSON result only."

Task 2 (haiku): "Check bug bounty databases for <domain>. Run: python3 scripts/check_bugbounty.py '<domain>'. Return JSON result only."

Task 3 (haiku): "Find security pages for <domain>. Run: python3 scripts/find_security_pages.py <domain>. Return list of found URLs only."

Task 4 (haiku): "WebSearch 'site:<domain> security contact email report vulnerability'. Extract any contact emails from results."

Task 5 (haiku): "Search for PSIRT contacts in industry directories:
  WebSearch 'site:first.org/members <company>'
  WebSearch 'site:cve.org <company> CNA partner'
Return: FIRST member status, PSIRT email if found, CNA status."

Step 3: Compile & Present

Wait for all agents to complete, then present final summary only:

## Security Contacts for <company>

### Recommended Disclosure Path
1. <best method>
2. <fallback>

### Verified Channels

| Channel | Details | Source |
|---------|---------|--------|
| Email | security@example.com | Trust Center |
| Bug Bounty | HackerOne (private) | Security Practices |
| security.txt | Contact: ... | /.well-known/security.txt |

Recency Rules:

If expiration.is_expired == true: Show "⚠️ security.txt is expired - contact info may be outdated"
If expiration.expires_soon == true: Show "⚠️ security.txt expires in X days"
If neither: Don't show recency warning

Output Rules

DO NOT show raw script JSON output in main conversation
DO NOT show WebFetch intermediate results
DO NOT show multiple tool calls visibly to user
ONLY display: initial status line, then final summary table
If no contacts found, say so clearly with "No verified contacts found"

No Guessing Policy

Only verified contacts:

✓ security.txt with Contact field
✓ Program in bug bounty database
✓ Contact extracted from page via WebSearch
✓ PSIRT/FIRST member contacts

Not included:

✗ Guessed email patterns (security@, psirt@)
✗ Generic contact forms
✗ Social media

name	security-contact
description	Identify security contact points for organizations. Finds security.txt, bug bounty programs, and other verified disclosure channels.
version	1
author	ramimac
argument-hint	["company_name_or_domain"]
tags	["security","disclosure","contacts","osint"]