ZeroDisclo and Coordinated Vulnerability Disclosures
If you've discovered a serious, high-profile vulnerability affecting critical services on a large scale, it's important to be aware of certain quirks about coordinated vulnerability disclosures.
Coordinated vulnerability disclosure is a set of protocols around report submissions that describe a process where the reporter of a vulnerability, the vendor of the component containing the vulnerability, and any third parties (including other companies that use those vulnerable components) come together to coordinate on fixing the issue and disclosing its existence to the general public.
One possible third party in this arrangement is companies such as ZeroDisclo, which we mentioned earlier is also associated with the European company YesWeH4ck (and BountyFactory). Here's an excerpt from ZeroDisclo's website describing their services:
Discoverers of vulnerabilities often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.
A long-time partner of the security research community through its founders, YesWeHack is proud to present https://zerodisclo.com/. This non-profit platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as Coordinated Vulnerability Disclosure.
In this case, if a researcher found a serious vulnerability for a core internet service (that is, JavaScript) but didn't know who to report it to or (more likely) feared legal retribution from an affected company, they could visit ZeroDisclo, either through HTTPS or TOR, and fill out a form describing the nature of their vulnerability and its technical details. Then ZeroDisclo would vet the submission and report it to the affected parties while keeping the original discoverer of the vulnerability anonymous.
If you choose to do this, be careful because you could be breaking program policy. The Internet bug bounty Program, discussed in the preceding section, has a specific question in its FAQs dedicated to using third-party brokers:
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the security team.
Make sure you consider all your options before submitting through a third-party broker. If you decide to use one, take preventative efforts to stay anonymous, such as submitting through TOR, to protect yourself.