Changelog

We launched a public researcher directory and leaderboard at /researchers.

Leaderboard

The leaderboard ranks the top 10 researchers across four categories:

• Reputation — Overall reputation score based on report quality and acceptance rate
• Top Earners — Researchers with the highest total bounty earnings
• Most Reports — Researchers with the most accepted vulnerability reports
• GitHub Stars — Researchers with the most stars across their GitHub repositories

Directory

Switch to Directory view to browse all public researchers with search, tier filtering, and sorting. Each researcher card shows their tier badge, accepted reports, reputation score, GitHub stars, and follower count.

Individual Profiles

Every public researcher gets their own profile page at /researchers/{username} with detailed platform stats (reputation, reports, acceptance rate, earnings) and GitHub stats (repos, stars, followers, account age).

Visit the Researcher Leaderboard to see who's leading the pack.

Researchers can now connect their GitHub accounts to patchli.st and display their GitHub stats on their public profile.

What's new

• Automatic GitHub sync on login — When you sign in with GitHub, we automatically capture your username, bio, and profile info.
• Manual sync — Hit "Sync GitHub Data" in Settings to pull fresh stats including repos, followers, following, and total stars across all your repositories.
• Connected Accounts section — New section in Dashboard Settings showing your GitHub connection status and stats at a glance.
• Public profile toggle — Opt-in to make your researcher profile visible on the public directory. Set a custom URL slug for your profile page.

Head to Dashboard → Settings to connect your GitHub account and make your profile public.

Generate a security.txt file for your website in seconds. This free tool helps security researchers know how to responsibly report vulnerabilities they find on your site.

Features:

• RFC 9116 compliant output
• All standard fields supported (Contact, Expires, Policy, Acknowledgments, etc.)
• Copy to clipboard or download as file
• Platform-specific deployment instructions for Vercel, Netlify, and Next.js

Try it now

Scan any website for security issues. Checks security headers, exposed files, backend detection (Supabase/Firebase), and RLS vulnerabilities. Get instant results with a security score. Share scan results with a public link.

Get notified when things happen on your reports without checking email. Bell icon in the dashboard shows unread count. Notifications for: report status changes, new comments, disputes, product verification, and payouts.

Founders and researchers can now communicate directly on reports. Real-time comments with markdown support. Attach files (images, PDFs, logs) up to 10MB per file. No more back-and-forth over email.

Secure your account with TOTP-based 2FA. Works with any authenticator app (Google Authenticator, Authy, 1Password, etc). Backup codes provided for account recovery.

Track your standing on the platform. Researchers: earn reputation from accepted reports, climb tiers from Newcomer to Elite. Founders: build trust through response times and fair payouts. Reputation badges visible on profiles.

Cleaner dashboard layout, improved mobile navigation, better typography. Dark mode tweaks for easier reading. Faster page loads across the board.

Security tips, bug bounty guides, and platform updates. RSS feed available at /blog/feed.xml.

Disagree with a report decision? Researchers can now file disputes. Admin reviews both sides and makes a final verdict. Fair process for everyone.

Three ways to verify you own your product: DNS TXT record, HTML meta tag, or manual review with proof. Verified products get a badge and appear higher in listings.

Get notified by email when: new reports come in, report status changes, payments are sent, disputes are filed. Emails include direct links to take action.