Zero Trust Vulnerability Reporting β without a trace.
BLT-Zero is a Cloudflare Python Workers powered site that lets security researchers report vulnerabilities directly and securely to target organizations β with zero tracking of sensitive data.
It is an independent application maintained under the OWASP BLT project family, operating on its own infrastructure with no shared servers or database.
BLT-Zero provides a zero-trust workflow for delivering vulnerability reports securely. Sensitive vulnerability details are never stored β they exist only in memory while the encrypted package is being built, then delivered directly to the recipient organization.
| Principle | Description |
|---|---|
| Direct Delivery | Reports are encrypted with the recipient organization's public key so only they can decrypt them. |
| Minimal Metadata | Only non-sensitive metadata (e.g., domain name, username) and artifact hashes are stored β never vulnerability descriptions or PoC details. |
| Ephemeral Handling | Full vulnerability details exist only in memory or ephemeral Cloudflare Worker storage while building the encrypted package. Plaintext is never written to permanent storage. |
| Out-of-Band Secrets | Any symmetric passwords are delivered through a separate channel (phone, SMS, or secure messaging) and are never stored alongside report content. |
BLT-Zero runs entirely on Cloudflare Workers using Python, giving it:
- No persistent server infrastructure β serverless, edge-deployed execution.
- Ephemeral worker storage β sensitive data never survives beyond request processing.
- Zero tracking β no analytics, no fingerprinting, no user profiling.
- Independent deployment β its own domain and infrastructure, separate from the main BLT application.
Reports are encrypted using age or OpenPGP with the recipient organization's public key. A symmetric password fallback is supported, delivered exclusively out-of-band.
- π End-to-end encrypted vulnerability report submission
- π Direct delivery to recipient organizations β no middleman storage of sensitive data
- π΅οΈ Zero tracking of reporters (no cookies, no analytics)
- ποΈ Public-key encryption with optional symmetric password (out-of-band delivery)
- π Minimal metadata storage for tracking, points, and program management
- π Integration with main BLT for reporter points attribution
- Reporter visits BLT-Zero and fills in the vulnerability report form.
- The report is encrypted in memory using the target organization's public key.
- The encrypted package is delivered directly to the organization β plaintext details are never persisted.
- Only minimal metadata (domain, reporter username, artifact hash) is stored for points and tracking.
- If a symmetric password is used, it is sent out-of-band by the reporter (e.g., via phone or secure messaging).
- Runtime: Cloudflare Workers (Python)
- Encryption: age / OpenPGP
- Storage: Minimal β Cloudflare KV or D1 for non-sensitive metadata only
- Integration: OWASP BLT API for points attribution
BLT-Zero is part of OWASP BLT Project #79 β Zero Trust Vulnerability Reporting.
Contributions are welcome! Please:
- Check the open issues for tasks to work on.
- Fork the repository and create a feature branch.
- Submit a pull request referencing the relevant issue.
Please follow the OWASP BLT contribution guidelines.
This project is licensed under the GNU Affero General Public License v3.0.