Frequently Asked Questions

All emails sent by ZeroDisclo.com come from zerodisclo [@] yeswehack.com and are signed with our dedicated PGP key

Make sure you have white-listed that address so you do not miss out on notifications.

- I WANT TO DISCLOSE A VULNERABILITY –

ZeroDisclo.com is a secure and confidential communication channel between you and a CERT. ZeroDisclo.com is not a judge about a report’s relevancy. In any event, reporting the security weakness you have observed to a CERT is always much better than boasting about it on your favourite social media.

Before filling in the report form, make sure to check FireBounty and ensure the possibly affected service does not have a dedicated vulnerability disclosure programme (VDP). FireBounty harbours such programmes in real time, so you can see it as your mandatory first stop to making the Internet safer. If the service has a dedicated VDP, it is more straightfordward to take that road instead of submitting through ZeroDisclo.com

And if you’d like to even more easily check whether a service has a VDP, make sure you install VDPFinder! The latter is a free web browser plugin we have developped to enable organisations to showcase their VDPs and ethical hackers to peruse them more. Head to our blog if you want to know more.

Only the bare minimum logs are stored. Those are: transient web server logs and unhandled exceptions. Regarding the vulnerability submission metadata, the submission form indicates thanks to which details only you and the receiving CERT have access to: that information is encrypted in your browser with the CERT’s PGP key.

Check out the explainer to refresh your understanding of how ZeroDisclo.com works.

Also, we have a generic Matomo tracker on the website operating in Do Not Track mode. We do not store the website user’s IP address either. All in all, we have no means of identifying you.

You can submit the information about the vulnerability that leads to a potential data breach. However, we advise against submitting the compromised dataset. Thus, should you identify a vulnerability that enables unauthorised access to personally identifying data, please provide only technical proof of concept in your report without including personal data (no screenshots, etc.).

- I WANT TO JOIN –

No. ZeroDisclo.com only enrolls CERTs within specific conditions
That’s real kind of you, but we are good :) We welcome contributions to our open source projects, though: do check our GitHub and join in!

- I WANT TO RECEIVE DETAILS BECAUSE (REASONS) –

No. ZeroDisclo.com is a confidential channel between the vulnerability submitter and the CERT they have selected to report to. We do not have access to the details of the report.
Should you be willing to receive direct reports from researchers, please register your CERT with ZeroDisclo.com.
No. ZeroDisclo.com is not a threat intelligence sharing platform, but a non-partisan non-profit tool enabling Coordinated Vulnerability Disclosure.

- FURTHER READING –

We reflect on ZeroDisclo.com platform on blog under the Coordinated Vulnerability Disclosure category and the ZeroDisclo tag. These blog posts and resources explain much of the reasoning behind the goal and features of this initiative.