Welcome to vulnz. This is the issue tracker where I track the security vulnerabilities I find in third-party software/web apps, which are private until they can be disclosed to the public.

This Monorail project replaces the existing Phabricator instance at https://vulnz.avm99963.com/, which currently hosts the old vulnerability reports.

Vulnerability Reports Lifecycle

For most vulnerability reports, we follow the disclosure policy used by Google's Project Zero. This consists of a 90-day disclosure deadline, as explained in the previous link.

When the vulnerability disclosure deadline exceeds, vulnzybot will automatically make the report public by removing the Restrict-View-Commit label. The bot will leave a grace period of one day, which means it will not publish it the exact day that the deadline is exceeded, but one day after that.

For more details, check out the bot's readme page.