Frequently Asked Questions

All emails sent by come from zerodisclo [@] and are signed with our dedicated PGP key

Make sure you have white-listed that address so you do not miss out on notifications.

- I WANT TO DISCLOSE A VULNERABILITY – is a secure and confidential communication channel between you and a CERT. is not a judge about a report’s relevancy. In any event, reporting the security weakness you have observed to a CERT is always much better than boasting about it on your favourite social media.

Before filling in the report form, make sure to check FireBounty and ensure the possibly affected service does not have a dedicated vulnerability disclosure programme (VDP). FireBounty harbours such programmes in real time, so you can see it as your mandatory first stop to making the Internet safer. If the service has a dedicated VDP, it is more straightfordward to take that road instead of submitting through

And if you’d like to even more easily check whether a service has a VDP, make sure you install VDPFinder! The latter is a free web browser plugin we have developped to enable organisations to showcase their VDPs and ethical hackers to peruse them more. Head to our blog if you want to know more.

Only the bare minimum logs are stored. Those are: transient web server logs and unhandled exceptions. Regarding the vulnerability submission metadata, the submission form indicates thanks to which details only you and the receiving CERT have access to: that information is encrypted in your browser with the CERT’s PGP key.

Check out the explainer to refresh your understanding of how works.

Also, we have a generic Matomo tracker on the website operating in Do Not Track mode. We do not store the website user’s IP address either. All in all, we have no means of identifying you.

You can submit the information about the vulnerability that leads to a potential data breach. However, we advise against submitting the compromised dataset. Thus, should you identify a vulnerability that enables unauthorised access to personally identifying data, please provide only technical proof of concept in your report without including personal data (no screenshots, etc.).


No. only enrolls CERTs within specific conditions
That’s real kind of you, but we are good :) We welcome contributions to our open source projects, though: do check our GitHub and join in!


No. is a confidential channel between the vulnerability submitter and the CERT they have selected to report to. We do not have access to the details of the report.
Should you be willing to receive direct reports from researchers, please register your CERT with
No. is not a threat intelligence sharing platform, but a non-partisan non-profit tool enabling Coordinated Vulnerability Disclosure.


We reflect on platform on blog under the Coordinated Vulnerability Disclosure category and the ZeroDisclo tag. These blog posts and resources explain much of the reasoning behind the goal and features of this initiative.