SecurinZero Days
    Email Us
    Zero-day research/Engage

    Foundsomething?We’ll handle the rest.

    Securin is a CISA-sponsored CVE Numbering Authority and EU GCVE Numbering Authority. If you’ve found a vulnerability and don’t know what to do with it — or don’t want to deal with vendors directly — bring it here.

    We handle everything after the finding. You keep full authorship and public credit.

    Every finding is treated with strict confidentiality. Nothing is shared with vendors or made public without your explicit agreement on timing and terms.
    01/WHAT HAPPENS WHEN YOU SUBMIT

    Four steps.
    Your finding
    to public record.

    From first contact to published advisory — here is exactly what happens, in order, and what you control at each stage.

    01 · Submit
    You send the finding

    Send a technical write-up through any of the secure channels below. Include what you found, how to reproduce it, and the affected software or hardware. A working proof-of-concept is required before we can proceed.

    Confidential — nothing shared without your sign-off
    02 · Review
    Securin validates

    Our research team reviews the submission — reproducing the exploit, assessing severity, and confirming exploitability. We’ll come back to you within 5 business days with a status update and any clarifying questions.

    You’re kept informed at every step
    03 · Coordinate
    We contact the vendor

    Securin notifies the vendor as the coordinating CNA — assigning a CVE or GCVE ID, delivering the full technical report under embargo, and managing all communications. You don’t have to deal with vendor contact directly unless you want to.

    90-day default embargo window
    04 · Publish
    Full advisory, your name on it

    On the agreed disclosure date, Securin publishes a full technical advisory — root-cause analysis, exploit chain, remediation runbook — under CNA and GNA authority. Your authorship and credit appear in the published record, permanently.

    Linked to NVD · archived in the Securin index
    02/THE DIVISION OF WORK

    What you bring.
    What we carry.

    The hard part of disclosure — vendor negotiation, CVE bureaucracy, embargo management — is what most independent researchers avoid. That’s exactly what Securin exists to handle.

    Securin handles
    CV
    CVE and GCVE assignment
    We assign the CVE ID as a CISA-sponsored CNA and GCVE ID as an EU GNA — directly, without routing through MITRE. No delays, no forms, no waiting.
    VN
    Vendor notification and negotiation
    We contact the vendor, deliver the technical report under embargo, and manage all follow-up. You don’t need a vendor relationship or security contact to coordinate here.
    EM
    Embargo management
    We track the 90-day window, handle extension requests, log non-responses, and make the call on disclosure timing. You’re consulted on extensions — never surprised.
    PV
    Patch verification
    We test the vendor’s fix against the original exploit before the embargo closes — confirming the remediation is complete before anything goes public.
    PB
    Advisory publication
    We write and publish the full technical advisory — root-cause analysis, impact matrix, remediation runbook — under CNA and GNA authority, indexed to NVD and the Securin advisory record.
    You bring
    FD
    The finding
    A vulnerability you’ve discovered — in commercial software, open-source, firmware, or hardware. In any product category. We don’t restrict scope.
    PC
    A working proof-of-concept
    Deterministic reproduction steps and a working PoC. Theoretical findings without a reproducible exploit cannot be submitted for coordination — they can’t be responsibly disclosed without one.
    TC
    Technical write-up
    A description of the vulnerability — affected component, root cause, trigger conditions, and observed impact. Doesn’t need to be formal. We’ll work with what you have.
    GF
    Good faith intent
    This program is for researchers acting in good faith. We don’t coordinate findings involving active exploitation by the submitter or findings intended to be sold before disclosure.
    03/TERMS — PLAIN LANGUAGE

    What you can
    count on.

    No legal document. The terms that govern every submission — stated plainly, held to without exception.

    Authorship
    Your name on the advisory. Always.
    You discovered it. The published advisory reflects that — your name, your affiliation if you choose to include it, your contribution credited in the public record permanently. Securin does not claim findings it did not discover.
    Confidentiality
    Nothing shared without your agreement.
    Your submission is treated as strictly confidential. Nothing is shared with the vendor, MITRE, CISA, or anyone else without your explicit agreement on timing and scope. You control what gets disclosed and when.
    Embargo
    90 days. Extended only with your knowledge.
    The default embargo window is 90 days from vendor notification. Extensions are granted only when active remediation is in flight and only with your knowledge. You are consulted before any extension is agreed — never informed after the fact.
    No cost
    Coordination is free for researchers.
    There is no fee for submitting a finding through the Securin CNA & GNA program. This is a service to the research community — not a commercial transaction. Securin’s commercial program is separate and distinct.
    Scope
    Any software, hardware, or firmware.
    We coordinate findings in commercial software, open-source projects, firmware, embedded systems, and hardware. No product category restrictions. If the finding is real and reproducible, we can coordinate it.
    Timeline
    5 business days to first response.
    We respond to every submission within 5 business days with a status update — accepted, declined with reason, or a request for clarification. Submissions are never ignored. If you don’t hear back, follow up.
    04/SUBMIT A FINDING

    Send what you have.
    We’ll take it from there.

    Include the affected product, a description of the vulnerability, your reproduction steps, and a working proof-of-concept. Plain text is fine — no template required.

    If you’re not sure whether what you’ve found qualifies, send it anyway. We’d rather review a finding that turns out to be a known issue than have a real zero-day go uncoordinated.

    Email the research team
    Reach out first and we'll provide the appropriate channel and instructions for a secure submission.
    Primary — secure email
    disclose@securin.io
    Monitored daily · 5 business day response SLA
    What to include
    · Affected product and version· Vulnerability description and root cause· Reproduction steps and PoC· Your preferred attribution name· Any timeline constraints you have

    Want to verify the program before submitting? Every advisory we’ve coordinated is in the public index — with full attribution, disclosure timeline, and the complete technical artifact.

    Browse the advisory index Read the methodology
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum