Vulnerability disclosure done right

April 9, 2020 is a non-partisan non-profit platform. It enables vulnerability reporting while maintaining anonymity for the discoverer. It’s got a spring refresh to make it even easier to do vulnerability disclosure right.

A non-partisan and non-profit platform, enables vulnerability reporting while maintaining anonymity for the discoverer. Thus, ZeroDisclo channels an insightful disclosure process all by protecting the vulnerability reporter and providing timely and detailed information to the receiving CERT.

In a nutshell

ZeroDisclo builds the bridge between an ethical hacker and a CERT. The platform formalises the report through various criteria enabling the calculation of a CVSS severity score. Even more important, thanks to the report’s encryption with the keys of the person submitting the report and of the receiving organisation, ZeroDisclo serves as a ‘transmission belt’. At no time does the platform or the individuals administering it access the details of the vulnerability described.

ZeroDisclo is also available as a .onion instance, enabling coordinated vulnerability disclosure via the Tor Browser. Regardless of the web browser the submitter uses, the report is encrypted with the receiving organisation’s public key, then signed and timestamped by a blockchain. The site sends the report to a CERT; the vulnerability discoverer receives a certificate as proof of deposit. Coordinated vulnerability disclosure is thus possible without ZeroDisclo having to accumulate a dangerous knowledge of the bugs affecting third-party information systems.


A completely redesigned website

Enabling coordinated vulnerability disclosure is essential. ZeroDisclo is a uniquely positioned tool that does just that. The technology behind it does disclosure well.

That is why we deem it necessary also to give the website a spring refresh. The redesigned-from-head-to-toe website aims at seamless navigation—vulnerability disclosure is also done right when it is done through an unambiguous interface. Among other things, the submission form now indicates what parts of the vulnerability report are encrypted. Furthermore, the FAQ provides answers to many questions we have received since the platform’s inception in late 2016.

Indicate which report details are concealed

We heavily insist on the importance of bringing sensitive information to the right people without exposing the discoverer to unnecessary legal danger in the process. Alongside, we need not receive a copy of those details: our work aims to contribute to reducing vulnerabilities, not to stockpile them.

The vulnerability submission form is a central tool on ZeroDisclo. As it enables the discoverer to reach out to the receiving CERT, we have paid particular attention to make it as unambiguous as possible. Hence the little icon that indicates which parts we have access to—and which we do not.

A FAQ to better know what you can(not) do with ZeroDisclo

You have questions; we get that. And get these, too ? Hence a FAQ to reflect the various questions we have received in the past nearly-four years. The page is accessible through the top navigation menu. The questions are under broader categories, clarifying aspects for the different roles that partake in the vulnerability disclosure process.

CERT onboarding and further awareness raising

On the other side of ZeroDisclo’s ‘transmission belt’ is a CERT.

A short yet unambiguous Disclosure Policy

The CERT needs time to investigate. Reproducing the vulnerability may take time; cascading details to all concerned parties and organising fixes is also time-consuming. That is the reason we have outlined a concise yet straightforward Disclosure Policy. Acknowledging it is the final and mandatory step before submitting the vulnerability report.

An infographic to grasp ZeroDisclo in the blink of an eye

We aim for ZeroDisclo to be effortless to use. Yet, there will always be newcomers, both in the hacker community and within CERTs. Hence a dedicated ‘How it works’ page—and infographic has the spotlight therein. We have given it KISS approach, adding a more detailed step-by-step explanation at the bottom of the page.

In the coming 48 hours, we will provide a full infographic to the CERTs listed on ZeroDisclo. We aim it as a handy tool they can use internally to raise awareness about vulnerability disclosure done right. Until then, make the Internet safer—use!