ZeroDisclo.com is a non-partisan non-profit platform. It enables vulnerability reporting while maintaining anonymity for the discoverer. It’s got a spring refresh to make it even easier to do vulnerability disclosure right.
A non-partisan and non-profit platform, ZeroDisclo.com enables vulnerability reporting while maintaining anonymity for the discoverer. Thus, ZeroDisclo channels an insightful disclosure process all by protecting the vulnerability reporter and providing timely and detailed information to the receiving CERT.
In a nutshell
ZeroDisclo builds the bridge between an ethical hacker and a CERT. The platform formalises the report through various criteria enabling the calculation of a CVSS severity score. Even more important, thanks to the report’s encryption with the keys of the person submitting the report and of the receiving organisation, ZeroDisclo serves as a ‘transmission belt’. At no time does the platform or the individuals administering it access the details of the vulnerability described.
ZeroDisclo is also available as a .onion instance, enabling coordinated vulnerability disclosure via the Tor Browser. Regardless of the web browser the submitter uses, the report is encrypted with the receiving organisation’s public key, then signed and timestamped by a blockchain. The site sends the report to a CERT; the vulnerability discoverer receives a certificate as proof of deposit. Coordinated vulnerability disclosure is thus possible without ZeroDisclo having to accumulate a dangerous knowledge of the bugs affecting third-party information systems.
NEW TO COORDINATED VULNERABILITY DISCLOSURE?
WE’VE GOT YOU COVERED: READ OUR WHITE PAPER.
A completely redesigned website
Enabling coordinated vulnerability disclosure is essential. ZeroDisclo is a uniquely positioned tool that does just that. The technology behind it does disclosure well.
That is why we deem it necessary also to give the website a spring refresh. The redesigned-from-head-to-toe website aims at seamless navigation—vulnerability disclosure is also done right when it is done through an unambiguous interface. Among other things, the submission form now indicates what parts of the vulnerability report are encrypted. Furthermore, the FAQ provides answers to many questions we have received since the platform’s inception in late 2016.
Indicate which report details are concealed
We heavily insist on the importance of bringing sensitive information to the right people without exposing the discoverer to unnecessary legal danger in the process. Alongside, we need not receive a copy of those details: our work aims to contribute to reducing vulnerabilities, not to stockpile them.
The vulnerability submission form is a central tool on ZeroDisclo. As it enables the discoverer to reach out to the receiving CERT, we have paid particular attention to make it as unambiguous as possible. Hence the little icon that indicates which parts we have access to—and which we do not.