Zero Trust Vulnerability Reporting workflow

[Jayant2908]

This issue is part of Project #79 – Zero Trust Vulnerability Reporting.

Goal

• Provide a zero-trust workflow for reporters to deliver vulnerability reports directly and securely to target organizations.
• Never persist sensitive vulnerability details in any file storage or database. Keep only minimal, non-sensitive metadata and artifact hashes for tracking, points, and program management.

Key Principles

• Direct delivery: Encrypt reports so only the recipient organization can decrypt (preferred: recipient public key).
• Minimal metadata: Store only non-sensitive metadata and artifact hashes; do not store vulnerability descriptions or PoC details.
• Ephemeral handling: Full vulnerability details exist only in memory or ephemeral worker storage while building the encrypted package; never persist plaintext to permanent storage.
• Out-of-band secrets: Any symmetric password must be delivered out-of-band (phone, SMS, separate email, secure messaging) and never stored with the report content.

[github-actions]

  🚫 **Please do not create new issues**  
  We currently have **many open issues** to focus on, some even with $5 bounties.
  
  If you believe your issue is important and should be solved,  
  please create a new topic in the BLT forum page instead.  
  Thanks for understanding! 🙏

[Jayant2908]

/assign

[github-actions]

Hello @Jayant2908! You've been assigned to OWASP-BLT/BLT issue #5232. You have 24 hours to complete a pull request.

---

This comment was generated by OWASP BLT-Action

[github-actions]

⏰ This issue has been automatically unassigned from Jayant2908 due to 24 hours of inactivity. The issue is now available for anyone to work on again.

---

This comment was generated by OWASP BLT-Action