🎯

Zero-Day Disclosure Workflow

Manage responsible coordinated vulnerability disclosure — from initial discovery through CVE assignment, vendor patch, and public release.

Legal Notice: Zero-day disclosure must follow responsible disclosure principles. Never publicly release exploit details before the vendor has had a reasonable time to patch (standard: 90 days). Unauthorized disclosure of exploits for systems you do not own may violate the Computer Fraud and Abuse Act (CFAA), GDPR, and equivalent laws in your jurisdiction.

Prerequisites

  • Confirmed, reproducible vulnerability with full PoC documentation
  • CVSS score calculated and severity assessed
  • Written record of discovery date and discovery circumstances
  • Vendor contact information or CERT/CC as fallback coordinator
  • PGP key for encrypted communication (recommended)
  1. 1

    Document the Finding in PhantomYerra

    Before contacting the vendor, create a complete finding record with full PoC, impact analysis, and evidence. Use the Finding Editor (Ctrl+F) to log all details including exact reproduction steps.

    💡 Set finding status to "Zero-Day Candidate" to flag it in the disclosure workflow panel.
  2. 2

    Mark as Zero-Day and Start Disclosure Workflow

    In the Finding Detail panel, click Start Disclosure Workflow. PhantomYerra creates a disclosure record with:

    Discovery Date : [auto-filled from finding creation date] Disclosure Start : [today] 90-Day Deadline : [auto-calculated] Vendor : [enter vendor name] Product : [enter product name + version] CVSS Score : [auto-filled from finding] Severity : Critical / High / Medium / Low
  3. 3

    Find Vendor Security Contact

    Look for the vendor's security contact in this priority order:

    1. security.txt at: https://vendor.com/.well-known/security.txt 2. PSIRT email: security@vendor.com / psirt@vendor.com 3. HackerOne/Bugcrowd/Intigriti program (check for public BBP) 4. CVE Numbering Authority (CNA) contact if vendor is a CNA 5. CERT/CC as coordinator of last resort: cert@cert.org
  4. 4

    Send Initial Disclosure Notification

    PhantomYerra generates a professional disclosure notification draft. Review and send to the vendor. The notification includes:

    Subject : [SECURITY] Vulnerability Report — [Product] [Version] Contents (encrypted ZIP attachment): - Vulnerability description (no full PoC in first email) - Affected product and version - CVSS score and vector - Proposed 90-day coordinated disclosure timeline - Your contact details and PGP key (if applicable) - Request for acknowledgment within 7 days
    💡 PGP-encrypt the disclosure if the vendor publishes a PGP key. PhantomYerra includes a PGP helper in the disclosure workflow.
  5. 5

    Track Vendor Response

    Log all vendor communications in the Disclosure Timeline panel. PhantomYerra tracks:

    Day 0 : Initial notification sent → awaiting acknowledgment Day 7 : Follow-up if no acknowledgment received Day 30 : Request patch status update Day 60 : Request CVE assignment status + patch ETA Day 90 : Deadline — publish advisory if no patch (extend if vendor requests + patch is imminent)
  6. 6

    Request CVE Assignment

    Once the vendor acknowledges, request a CVE ID. See the CVE Request tab for the full process. PhantomYerra auto-fills the MITRE CNA submission form from your finding data.

  7. 7

    Coordinate Patch Release and Public Advisory

    Align the public advisory date with the vendor's patch release. The advisory includes: CVE ID, CVSS score, affected versions, fix versions, PoC (appropriate detail level), and credits. PhantomYerra generates the advisory document from the disclosure record.

Common Issues

Try alternate contacts: LinkedIn for the CISO or security team, Twitter/X DM to the vendor's security account, or their bug bounty platform if they have one. If still unresponsive at day 14, engage CERT/CC (cert@cert.org) or your national CERT as a coordinator. They have established relationships with vendor PSIRTs and can facilitate contact.

Document the vendor's response in the Disclosure Timeline. Provide additional technical evidence demonstrating the security impact. If the vendor still disputes it after review, you may proceed with disclosure at day 90 — include the vendor's response in your advisory for transparency. The security community can then evaluate the severity independently.

Government system vulnerabilities require special handling. Contact the relevant national CERT or cybersecurity agency directly (CISA in the US, NCSC in the UK, BSI in Germany). Do not disclose publicly without coordinating with the relevant authority. Standard 90-day timelines may be extended significantly for critical national infrastructure.

Related Topics

📊 Reports 📋 Manual Mode 🔒 Air-Gapped Mode
© Ravi Yerra. All Rights Reserved.