Zer0day Sec 🗡

Upcoming article! 🔥 📖 ♧ Public Disclosure in Security Research: The Right, The Threats, and The Responsibilities ♧ 1. The Right The researcher's right to public disclosure exists, but it is earned, not assumed. It activates only after responsible disclosure has run its course. - What responsible disclosure looks like when done correctly - The 90-day rule, industry standard, why it exists, who enforces it - The conditions that justify going public: team ignores report, refuses to fix, refuses to validate, refuses to pay, fixes silently without acknowledgment - The public good argument, users have a right to know what's protecting their funds - Public disclosure as the enforcement mechanism that gives responsible disclosure its teeth, without it, teams have no incentive to do the right thing 2 The Threats (threefold) - To Project Teams Public disclosure is the last card a researcher holds. For teams that refuse to engage: - Reputational damage, TVL impact, community loss of confidence - The precedent it sets, teams that handle disclosure badly become known for it - Why forcing a researcher to go public is almost always the worse outcome for the team - To Researchers Public disclosure is a double-edged sword: - Premature disclosure, going public before the fix window closes - Wrongful disclosure, disclosing a finding that turns out to be invalid - Platform consequences, standing on HackerOne, Immunefi, Code4rena affected - Legal risk, teams that weaponize NDAs, ToS, and litigation against researchers - Community backlash, being labeled irresponsible even when the team was the bad actor - To Users and the Community The most underappreciated threat vector: - Disclosing an unfixed vulnerability publicly hands a roadmap to attackers - Even a fixed vulnerability disclosed carelessly can trigger bank runs, panic withdrawals, protocol death spirals - The timing and framing of public disclosure is as important as the decision to disclose 3. The Responsibility (bilateral) Researchers' Responsibility - Follow the process, private report first, always - Give reasonable time, 90 days is the standard, less for critical live exploits - Disclose responsibly, what you say, when you say it, how much detail you share - Consider the community, not just the team and yourself Project Teams' Responsibility - Acknowledge reports promptly - Validate findings honestly - Fix vulnerabilities seriously - Pay bounties fairly - Coordinate disclosure professionally - Teams that skip any of these steps are responsible for the public disclosure that follows What is The Right Outcome? When both sides fulfill their responsibility: Finding. Private report. Fast fix. Coordinated disclosure. Community protected. Researcher credited. No one forces anyone's hand. That is what the system is supposed to look like. Stay tuned for full article on X and on our website. By @zer0day_sec / 0daysec.xyz #responsibledisclosure #securityresearch #web3security #whitehat #bugbounty #publicdisclosure

Give me any project codebase, even those audited 10,000 times. And I promise you I'd deliver at least 1 zero-day with minimum High-sev. Thats a given. Nothing is unhvckable! #zeroday #DOAW

Q-Day Is Coming - Crypto & Web3 Security Research Will Never Be The Same. - Article by @zer0day_sec | 0daysec.xyz ♧♧♧ We have seen what AI brought to Web3 security. Both sides of it. On the positive side: automated scanners that detect exploits in real time, fuzzing tools that surface edge cases no human reviewer would catch, AI-assisted auditing that lets experienced researchers move faster and cover more ground. The stack is better. The tooling is sharper. The best security researchers in the space have a genuine force multiplier in their hands. On the negative side: AI exploit agents that fork mainnet, run a deposit, check if the math breaks, and do it across thousands of protocols per day for pennies. The window between misconfiguration and exploitation has collapsed from months to hours. April 2026 proved it. ZetaChain, YieldCore, Singularity Finance, Scallop, none were sophisticated attacks. All were assumption failures. All were found and exploited faster than any human team could respond. AI changed the threat landscape. It did not break the underlying cryptography. But... Quantum computing will. ♧ What Q-Day Actually Means Q-Day is the moment a quantum computer becomes powerful enough to break elliptic curve cryptography, the mathematical foundation that secures every wallet, every signature, every transaction on every major blockchain in existence. When you sign a transaction on Ethereum, Bitcoin, or any EVM-compatible chain, you are using ECDSA, the Elliptic Curve Digital Signature Algorithm. It works because deriving a private key from a public key is computationally impossible for classical computers. The math takes longer than the age of the universe to brute force. Quantum computers running Shor's algorithm, a quantum technique first proposed in 1994, attack the underlying logic directly. They do not brute force. They solve. The problem that takes classical computers millions of years takes a sufficiently powerful quantum computer hours. Q-Day is the day "sufficiently powerful" arrives. ♧ How Close Are We? Closer than the industry was comfortable admitting six months ago. In March 2026, research papers from Caltech and Google suggested that future quantum computers could break elliptic curve cryptography using fewer qubits and fewer computational steps than previously estimated. The papers were not theoretical exercises. They improved Shor's algorithm at two separate layers, and the results compounded. Ethereum researcher Justin Drake publicly stated there is at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. Ten percent by 2032. Six years. Then, on April 24, 2026, five days ago, an independent researcher used publicly accessible quantum hardware to break a 15-bit elliptic curve key, winning Project Eleven's Q-Day Prize. A 15-bit key is nowhere near Bitcoin's 256-bit security. But resource estimates for a full 256-bit break are now below 500,000 physical qubits. The jump from where we are to where we need to be is shrinking faster than the roadmaps predicted. 2026 has been designated the Year of Quantum Security by the FBI, NIST, and CISA. Google has set a 2029 internal deadline for its own post-quantum cryptography migration. When the company whose researchers are producing the threat estimates sets a three-year migration deadline, that is not a precaution. That is a warning. ♧ The Specific Threat to Web3 This is where it gets uncomfortable for the blockchain industry specifically. Every address that has ever revealed a public key is vulnerable. On Bitcoin and Ethereum, your public key is exposed the moment you send a transaction. Hundreds of millions of addresses have exposed public keys sitting on-chain right now, permanently, immutably, forever. A quantum-enabled attacker does not need to be in the right place at the right time. The data is already there. It will still be there on Q-Day.

@ChanniGreenwall Agreed totally. You cant continue to do the same thing the same way with the same attitude and expect a different result.

90% of exploited smart contracts were previously audited. The industry's response was to do more audits. At some point you have to ask different questions.

Upcoming article! 🔥 📖 ♧ Public Disclosure in Security Research: The Right, The Threats, and The Responsibilities ♧ 1. The Right The researcher's right to public disclosure exists, but it is earned, not assumed. It activates only after responsible disclosure has run its course. - What responsible disclosure looks like when done correctly - The 90-day rule, industry standard, why it exists, who enforces it - The conditions that justify going public: team ignores report, refuses to fix, refuses to validate, refuses to pay, fixes silently without acknowledgment - The public good argument, users have a right to know what's protecting their funds - Public disclosure as the enforcement mechanism that gives responsible disclosure its teeth, without it, teams have no incentive to do the right thing 2 The Threats (threefold) - To Project Teams Public disclosure is the last card a researcher holds. For teams that refuse to engage: - Reputational damage, TVL impact, community loss of confidence - The precedent it sets, teams that handle disclosure badly become known for it - Why forcing a researcher to go public is almost always the worse outcome for the team - To Researchers Public disclosure is a double-edged sword: - Premature disclosure, going public before the fix window closes - Wrongful disclosure, disclosing a finding that turns out to be invalid - Platform consequences, standing on HackerOne, Immunefi, Code4rena affected - Legal risk, teams that weaponize NDAs, ToS, and litigation against researchers - Community backlash, being labeled irresponsible even when the team was the bad actor - To Users and the Community The most underappreciated threat vector: - Disclosing an unfixed vulnerability publicly hands a roadmap to attackers - Even a fixed vulnerability disclosed carelessly can trigger bank runs, panic withdrawals, protocol death spirals - The timing and framing of public disclosure is as important as the decision to disclose 3. The Responsibility (bilateral) Researchers' Responsibility - Follow the process, private report first, always - Give reasonable time, 90 days is the standard, less for critical live exploits - Disclose responsibly, what you say, when you say it, how much detail you share - Consider the community, not just the team and yourself Project Teams' Responsibility - Acknowledge reports promptly - Validate findings honestly - Fix vulnerabilities seriously - Pay bounties fairly - Coordinate disclosure professionally - Teams that skip any of these steps are responsible for the public disclosure that follows What is The Right Outcome? When both sides fulfill their responsibility: Finding. Private report. Fast fix. Coordinated disclosure. Community protected. Researcher credited. No one forces anyone's hand. That is what the system is supposed to look like. Stay tuned for full article on X and on our website. By @zer0day_sec / 0daysec.xyz #responsibledisclosure #securityresearch #web3security #whitehat #bugbounty #publicdisclosure

@svector_eth Is that a wish? or a prayer? Let us know. Because what a "man" soweth, he shall certainly reap.

MAY WE NOT SEE ANY DEFI HACKS IN MAY 🙏

@immunefi It is me. Sorry @immunefi , I spoiled the surprise.

Crypto's most controversial Security Researcher is coming on The Immunefi Show. Who do you think it is?

@Ehsan1579 It is me.

I wonder who this is lmao.

@only01Essential You're almost there. Please reciprocate the follow.

Wen 1k?

@asen_sec Thanks, hunter!

The auditors who'll matter in 2 years aren't the smartest in the room today. They're the ones still showing up after the room empties. Be the last one out.

@Adijdhv @code4rena @MonetrixFinance In audit comps like this, duplicates get rewarded too. But not as much as the first finder.

@code4rena @MonetrixFinance If it is duplicate will I get the reward or not?

The Monetrix audit competition STARTS NOW! Let’s welcome @MonetrixFinance, the yield layer for Hyperliquid. This audit competition will run for 10 days with the biggest prizes going to the most severe + unique vulnerabilities found. Check out the audit docs below! ⤵️

@code4rena @MonetrixFinance Here is my wish for everyone participating in this @MonetrixFinance C4 hint:

Heads up Wardens: the @MonetrixFinance audit competition ends May 4th! There's still time left to submit your findings for a share of the $22,000 prize pool!

@hackerspider1 @0x3b33 @0xriptide @0xZulkifilu @adrianhetman @arsen_bt @BugBountyCenter @xKeywordx @WhiteHatMage @Ehsan1579 @ibrahimatix0x01 @panditdhamdhere You mean pending bounty gor long? Project not paying?

@Zer0day_sec @0x3b33 @0xriptide @0xZulkifilu @adrianhetman @arsen_bt @BugBountyCenter @xKeywordx @WhiteHatMage @Ehsan1579 @ibrahimatix0x01 @panditdhamdhere Only last one is pending bounties are coming slow.

This is my wish for you this week! @0x3b33 @0xriptide @0xZulkifilu @adrianhetman @arsen_bt @BugBountyCenter @xKeywordx @WhiteHatMage @0xriptide @Ehsan1579 @hackerspider1 @ibrahimatix0x01 @panditdhamdhere #bugbounty #DOAW #responsibledisclosure #zeroday

@hackerspider1 @0x3b33 @0xriptide @0xZulkifilu @adrianhetman @arsen_bt @BugBountyCenter @xKeywordx @WhiteHatMage @Ehsan1579 @ibrahimatix0x01 @panditdhamdhere It will certainly come. The hard part is done. 👍

@xKeywordx My wish for you this week. x.com/i/status/20505…

Not AGAAAAAAAIN

WON'T-FIX? Yes, we've said this times without number: A project is at liberty to mark a bug/weakness as WON'T-FIX. You are free to harbour or keep your secret bypass, risking your protocol assets, despite our recommendation. BUT this does NOT in any way invalidate a valid research. Projects must respect every valid security research, report and recommendations and NOT let the drive to minimize or dodge bounty payment make them disrespect the noble art of RESPONSIBLE DISCLOSURE, or diminished the value of a security research conducted in good faith. This is important. - @Zer0day_sec #DOAW #bugbounty

Pre-April, data says fewer attacks. But alas! April had other plans. ZetaChain. Wasabi. YieldCore. Singularity. Scallop. Volo. Whether it's frequency or concentration, the damage is accelerating. The pattern has changed. The exposure hasn't. 🔍 Admittedly, the era of simple exploits is over. Attackers now spend months becoming trusted before they strike. Fake job offers. Spear phishing. Compromised personal accounts. The best smart contract audit in the world doesn't protect against an employee clicking the wrong link. The security stack has to go deeper than the code. 🔍

Immunefi mention spotted. thecurrencyanalytics.com/defi/crypto-ha…

@KaiaChain Big moves on Kaia. Whatever it is, security infrastructure needs to scale with the ambition. The bigger the ecosystem, the higher the stakes on the bridge layer. Watching closely. 🔍

5月にビッグニュースを予定しております。ぜひご期待ください。

@hakluke Both are wrong. The bytecode doesn't care what anyone thinks.

Diary of a Whitehat - Entry 003 🔜 loading... A live bridge. 51 million+ messages deep. A continuity check that was supposed to guarantee message ordering, integrity. A bypass that made it dead code: ♤ Found exclusively from raw EVM bytecode ♤ Confirmed on-chain with a working POC ♤ A bypass. Silent - no revert, no log, no on-chain signal ♤ Invalid entry written to a live chain ♤ Reported March 1. Still unresolved. Still exploitable. Triage confirmed the bypass works. Four different shifting arguments. One month. Same faulty conclusion. Full disclosure: The code. The POC. The arguments. All of it. Stay tuned. #DOAW #Web3Security #ResponsibleDisclosure @zer0day_sec | 0daysec.xyz