Why nonprofits are missing from the responsible disclosure ecosystem

The structural problem

When a security researcher finds a vulnerability in a large company's systems, the path forward is well-defined. The company has a policy, a contact process, and staff who know what to do with an incoming report. The researcher submits what they found, the organization reviews it, and the vulnerability gets addressed.

Now consider the same scenario at a nonprofit. A researcher finds an exposed database containing donor financial records, or a security flaw in a case management system used by an immigration services organization. In most cases, there is no policy, no contact process, and no internal capacity to receive or act on that report. The researcher has nowhere structured to send what they found.

This is not primarily a problem of awareness. Most nonprofit IT teams know what responsible disclosure is. The problem is structural. The tools and processes that make organized disclosure work were built for organizations with dedicated security staff, legal departments, engineering resources, and enterprise software budgets. Those conditions do not describe most nonprofits.

This is not primarily a problem of awareness. The problem is structural.

The consequence is predictable. Reports go undelivered, get posted publicly, or arrive through informal channels with no process behind them. The vulnerability persists. The organizational risk compounds.

Nonprofits are being targeted at a rate most would not expect

The scale of attacks on the nonprofit sector is not well understood from the outside. Okta’s Businesses at Work 2025 report identified nonprofits as the second most targeted sector for cyberattacks globally, with an 18% rate of malicious login attempts, putting them ahead of healthcare and financial services. That number represents attempted unauthorized access across thousands of organizations, and it is not coincidental.

Nonprofits hold sensitive data: donor financial records, beneficiary healthcare information, immigration case files, and advocacy communications for vulnerable populations. The data profile of a mid-sized nonprofit often rivals that of a regulated financial institution, without the corresponding security resources.

Nonprofits are the second most targeted sector for cyberattacks globally, with an 18% rate of malicious login attempts, putting them ahead of healthcare and financial services.

Microsoft’s Digital Defense Report 2024 places nonprofits fourth among sectors targeted by government-sponsored attackers—groups defined by patience and sophistication, not just opportunistic financial crime. Cloudflare’s Project Galileo recorded a 241% increase in attacks on human rights and civil society organizations between 2024 and 2025. NetHope’s 2025 cybersecurity report found that phishing and account takeovers affected 94% of surveyed nonprofit organizations, up from 74% the prior year. The trend is not leveling off.

Also read: Innovative phishing simulations to build cyber-resilience

Why existing solutions don’t fit nonprofit realities

The UC Berkeley Center for Long-Term Cybersecurity found that 46% of nonprofits identify funding as the primary obstacle to improving their security posture. That framing is accurate but incomplete. The barrier to running a disclosure program is not only a budget issue—it is also the assumptions baked into every major platform designed for this purpose.

These platforms assume organizations have:

Lawyers who can draft legal policies
Security staff who can evaluate incoming reports
Engineers who can manage the operational side

These are not reasonable assumptions for a 30-person advocacy organization or a regional social services provider. As a result, a large portion of the nonprofit sector has been effectively excluded from a practice the rest of the technology world has broadly adopted.

The problem has a second side

A responsible disclosure program depends on two things working together:

Organizations that can receive reports
Researchers who have accessible programs to participate in

The current landscape fails nonprofits on both fronts.

The absence of nonprofit programs does not stop researchers from finding issues in nonprofit systems. It removes the responsible path for reporting what they find.

Security researchers' attention concentrates on large, well-funded programs where competition is high and financial rewards are substantial. Early-career researchers, students, and security professionals motivated by mission-driven work have limited options for engaging with organizations where their findings would carry real weight.

The absence of nonprofit programs does not stop researchers from finding issues in nonprofit systems. It removes the responsible path for reporting what they find.

What nonprofits can actually do

Building a disclosure program does not require starting at enterprise scale. The most important first step is creating a structured, documented path for reports to arrive and be handled. There are accessible approaches that do not require dedicated security staff or significant budget.

Publish a security contact file

A security.txt file is a plain text file hosted on your website that tells researchers how to contact your organization if they find something.
It is a recognized standard, takes under an hour to set up, and signals that your organization has a way to receive reports.
The securitytxt.org website provides a free generator and step-by-step documentation.

Write a basic disclosure policy

A disclosure policy does not require a lawyer.
At minimum, it should define:
CISA publishes free coordinated disclosure guidance, and templates from established platforms are publicly available and easy to adapt.

Assign ownership internally

Incoming reports need a defined destination and response process.
The owner does not need to be a security professional—an IT generalist, technology director, or operations lead can fill this role.
A dedicated inbox (e.g., security@yourdomain.org) and a simple escalation process are enough to begin.

Look at platforms built for similar organizations

Several platforms now offer disclosure program infrastructure at low or no cost for organizations without large security teams.
These include templates and public frameworks for responsible disclosure.
CISA offers direct support for organizations setting up basic programs.
A growing category of tools can handle intake, communication, and tracking workflows without requiring custom development.

Engage existing community resources

Organizations like CISA, the Center for Internet Security, and nonprofit-focused technology groups publish free guidance for building security programs under resource constraints.
Peer networks within the sector—including NTEN’s community—are increasingly active and can surface practical approaches from organizations facing similar challenges.

In conclusion

The gap in nonprofit disclosure programs has real consequences—for organizations, for the people whose data they hold, and for the researchers who want to help but have no structured way to do so.

Nonprofits that build even a basic path for receiving security reports are not just reducing their own exposure. They are making it possible for the security community to work with them rather than around them.

The barriers that created this gap are addressable with the right starting point—and that starting point is more accessible than it has ever been.

Jared Medeiros

Founder and Security Engineer, Harbor Project

I'm a Senior Data Security Engineer with a broad background in information technology and cybersecurity. I'm also the founder of Harbor Project, a vulnerability disclosure and bug bounty platform built exclusively for nonprofit organizations.