Harbor
Now in Beta

Harbor Project

Responsible vulnerability disclosure for nonprofit organizations.

Harbor connects ethical researchers with nonprofits to report vulnerabilities responsibly, collaborate securely, and resolve risk faster.

JOIN THE WAITLIST

Secure by default

Structured disclosure workflows, policy rails, and secure communication keep findings actionable and accountable.

Built for nonprofits

Mission-first security programs designed for lean teams, real constraints, and trust that's worth protecting.

Launch in minutes

Define your scope, publish your program, and start receiving responsible vulnerability reports right away.

The data nonprofits protect is irreplaceable

Exposed

nonprofits are among the most targeted sectors globally, facing enterprise-level threats without enterprise-level defenses.

Unprepared

nonprofits operate without the dedicated security resources or formal programs needed to respond when something goes wrong.

Uncharted

nonprofits have no structured path for researchers who discover vulnerabilities to report them safely and responsibly.

Harbor Project closes the gap

Organizations trust Harbor with their security program

ConservationHealthcareConservationHealthcare
Civic EngagementPublic SafetyCivic EngagementPublic Safety

A clear disclosure process from report to resolution

1

Organization launches a program

Set up a VDP or Bug Bounty program with scope, policies, and communication expectations in one place.

2

Researcher reports a vulnerability

Security researchers find issues, submit reproducible reports, and share evidence through Harbor's structured flow.

3

Organization triages and resolves

Your team reviews severity, collaborates with researchers, and closes the loop from validation to remediation.

Protocol First Workflow

Most nonprofits handle sensitive data — donor records, beneficiary information, public trust — without dedicated security resources to protect it. Harbor builds the guardrails in so you don't have to. Structured disclosure workflows keep findings out of email threads and Slack DMs. Policy rails give researchers clear boundaries before they ever submit a report. Every interaction happens inside a controlled, accountable process.

In-Scope Assets
Protected under Safe Harbor
Active
Vulnerability Disclosure Policy

The Others

Harbor Project

Large security budget

Free to start

Dedicated team

One person

12-month implementation

Live today

Legal review required

Built-in safe harbor

Complex onboarding

Launch in minutes

Mission-Aware Security

Enterprise security programs are designed for teams with an excess of resources and time. Most nonprofits have neither of these. Harbor was built specifically for the gap — lean teams, real constraints, and the kind of donor-facing trust that makes security non-negotiable. No enterprise contract. No security engineer required. Just a program that works for the resources you actually have.

Launch in Minutes

Getting a responsible disclosure program off the ground used to mean months of legal review, engineering resources, and back-and-forth with vendors. Harbor changes that. Define your scope, set your policy, and publish a researcher-ready program in a single session. From zero to accepting your first vulnerability report before your next meeting.

Step 1: Define Scope
Step 2: Set Policy
Step 3: Publish Program
Live

Built for both sides of the disclosure process

Security Researchers

Find programs that matter

Browse nonprofit security programs, submit responsible vulnerability disclosures, and get recognized — or paid — for helping organizations that are doing meaningful work in the world.

  • Legal safe harbor on every program
  • Bug bounty payouts via Stripe
  • Recognition for mission-driven work
Join the Waitlist →

Nonprofit Organizations

Launch a real security program

Give researchers a safe, structured way to report vulnerabilities. Get actionable reports, track remediation, and demonstrate security accountability to your board and donors.

  • Live in under 10 minutes
  • No security expertise required
  • Free to start, scales with your program
Join the Waitlist →

Standardized Workflows

A complete disclosure workflow for both sides of the process — from first report to final resolution.

app.harborprojectsec.com
Researcher View

Harbor Relief Network

VDP

Secure disclosure channel for in-scope assets

Verified

Two Rivers Health

Bug Bounty

Secure disclosure channel for in-scope assets

Verified

Lightly Foundation

Bug Bounty

Secure disclosure channel for in-scope assets

Verified

Harbor Relief Network

VDP

Secure disclosure channel for in-scope assets

Verified

Two Rivers Health

Bug Bounty

Secure disclosure channel for in-scope assets

Verified

Lightly Foundation

Bug Bounty

Secure disclosure channel for in-scope assets

Verified

app.harborprojectsec.com
Organization Dashboard

Reports Submitted

0

Confirmed Vulns

0

Avg Response

0.0d

Severity Distribution

Dynamic report lifecycle stages

SUBMITTED

NEW

UNDER REVIEW

TRIAGED

CONFIRMED

RESOLVING

RESOLVED

CLOSED

Alternate terminal outcomes

DUPLICATEINVALIDREJECTED

Enterprise-grade disclosure infrastructure. Nonprofit-ready.

Real payouts for real work.

Security researchers who find and responsibly disclose vulnerabilities through Harbor bug bounty programs receive direct payouts via Stripe.

app.harborprojectsec.com/researcher/payouts

Bounty Paid

$0.00

Critical Vulnerability

Lightly Foundation

Transferred to your Stripe account

View in Stripe

Recent Payouts

Health Alliance

High

$250.00

Paid

Open Initiative

Medium

$100.00

Paid

Harbor

Responsible security. Built for the mission.

Join the organizations and researchers protecting the work that matters.

JOIN THE WAITLIST

FAQ

Common questions, clearly answered

For Organizations

For Researchers