Documentation

How diovault works, explained for everyone involved. A disclose.io project.

What is diovault?

diovault is an open-source system that makes vulnerability disclosure deadlines cryptographically enforceable. When a security researcher submits a vulnerability report through the vault, the system guarantees that the report will become public at the agreed deadline — regardless of whether the vendor cooperates, ignores the report, or tries to suppress it.

It does this using timelock encryption: data is encrypted such that it can only be decrypted after a specific point in the future. No one — not the researcher, not the vendor, not a court — can prevent the decryption from happening. The deadline is enforced by mathematics, not trust.

The core guarantee: Once a disclosure enters the vault, nothing can stop it from going public at the hard deadline. Extensions can adjust the recommended deadline, but the hard deadline is immutable.

How It Works

Encrypt

AES-256-GCM

Report encrypted with a symmetric key, then wrapped per-recipient using X25519 key exchange.

Timelock

drand tlock

Content timelocked to the hard deadline. Content key separately timelocked to the recommended deadline for the auto-publish worker.

Store

IPFS + Arweave

Encrypted packet stored immutably across distributed and permanent storage networks.

Base L2

Content hash and participant identities recorded on-chain. Creates a tamper-proof audit trail.

Wait

drand beacon

Embargo period. Authorized parties decrypt with private keys. The drand beacon counts down.

Disclose

Auto-publish

Worker publishes at recommended deadline. If worker is down, hard-deadline backstop on IPFS fires automatically.

For Security Researchers

You've found a vulnerability. You want to disclose it responsibly, but you also want a guarantee that if the vendor stalls, goes silent, or sends legal threats, disclosure happens anyway.

How to Use It

Install and initialize. Generate your keypair — this is your identity in the system.

vault init

Your public key is what you share with vendors. Your secret key stays local.

Write up the vulnerability as you normally would — a markdown file with description, steps to reproduce, impact, and proof of concept.

Submit to the vault. This encrypts your report, timelocks it, and stores it immutably. Set both a recommended deadline (when you intend to publish) and a hard deadline (the absolute backstop).

vault submit \
  --file vulnerability.md \
  --deadline 90d \
  --hard-deadline 180d \
  --recipient vendor-security:<their_pubkey>

The hard deadline is the point of no return. Extensions can delay publication up to the hard deadline, but never beyond it.

Contact the vendor. Share your public key. Work with them normally during the embargo period. Both of you can decrypt the report anytime using your private keys.

Arm the dead man's switch (optional but recommended). This registers your disclosure with the auto-publish service at vault.disclose.io.

vault watch <id> --worker-url https://vault.disclose.io --api-key <API_KEY>

Now even if you're offline, unreachable, or silenced at the deadline — disclosure happens automatically.

Check status anytime. See the state of all your disclosures, days remaining, and on-chain activity.

vault status
vault status <id>

At the recommended deadline, the worker auto-publishes at vault.disclose.io/disclosure/<id>. If the worker is offline, the hard-deadline backstop on IPFS fires automatically — disclosure is guaranteed either way.

If Things Go Wrong

Adversary Scenarios

Vendor goes silent? The timelock decrypts at the deadline regardless. Their silence is the audit record.

Vendor sends legal threat? The encrypted packet is already on IPFS and Arweave. No action is required from you. The system is autonomous.

You're arrested or silenced? The dead man's switch at vault.disclose.io auto-publishes with zero human intervention.

Vendor needs more time? You can grant up to 3 extensions of 30 days each. In v2 mode, extensions are cryptographically real — the content stays encrypted until the new deadline (capped at the hard deadline). Details in FAQ.

Choosing Your Deadlines

Set the recommended deadline to when you intend to publish assuming normal coordination. Set the hard deadline to the latest date you’d be comfortable with this going public automatically, even if you’re completely unreachable.

Deadline Guidance

Vulnerability Type	Recommended	Hard	Extension Window
Web app (XSS, SQLi)	90d	120d	30d
Infrastructure / API	90d	150d	60d
Medical device / safety-critical	120d	270d	150d
Multi-vendor coordination	90d	180d	90d
Abandoned / no-contact vendor	45d	90d	45d

Need to Add a Coordinator?

If the vendor is unresponsive and you want to escalate to CERT/CC or another coordinator:

vault add-party <id> --pubkey <coordinator_pubkey>

They can now decrypt and help coordinate. The timelock is unaffected.

For Vendors

A security researcher has reported a vulnerability in your product through diovault. Here's what that means and what you need to do.

What This Means

The researcher has encrypted their vulnerability report and set a disclosure deadline (typically 90 days, or whatever your published VDP specifies). The report is timelocked — it will become publicly readable at the deadline automatically, regardless of any action or inaction by either party.

Important: The disclosure has both a recommended deadline and a hard deadline. Extensions can delay publication up to the hard deadline, but never beyond it. Plan your patch timeline accordingly. How extensions work.

What You Need to Do

Generate your keypair (if you haven't already) and share your public key with the researcher.

vault init

Decrypt the report using your private key to read the vulnerability details.

vault decrypt <disclosure_id>

Acknowledge receipt on-chain to create a public record that you received the report.

vault ack <disclosure_id>

Fix the vulnerability before the deadline. Coordinate with the researcher as needed. Request a CVE.

If you need more time, request an extension. The submitter has 7 days to approve.

# Vendor requests extension
vault extend <disclosure_id> --deadline 14d

# Submitter approves (v2: also updates the worker's key timelock)
vault extend <disclosure_id> --approve
vault extend <disclosure_id> --deadline 14d \
  --worker-url https://vault.disclose.io --api-key <API_KEY>

Maximum 3 extensions of 30 days each. In v2 mode, extensions cryptographically delay publication up to the hard deadline. See FAQ.

How the Audit Trail Protects You

Accountability cuts both ways. The on-chain record proves when you received the report and how you responded. If a researcher tries to misrepresent the timeline, the audit trail has the truth.
The researcher can't change their report after submission. The content is hash-verified at submission time. What was submitted is what gets disclosed.
You know the deadline is real. No ambiguity. No moving goalposts. You can plan your patch timeline with certainty.

For Coordinators (CERT/CC, etc.)

You've been added to a diovault disclosure as a coordinator. This means a researcher has escalated — typically because a vendor is unresponsive.

Your Role

You can decrypt the vulnerability report using your private key, just like any other authorized party.
You can facilitate communication between the researcher and the vendor.
You can view the full on-chain audit trail with vault audit <id>.
You cannot change the hard deadline. Only the submitter can grant extensions, and extensions cannot push past the hard deadline. The immutable backstop fires regardless.

Multi-Vendor Coordination

When a vulnerability affects multiple vendors, you can link disclosures to track dependencies:

# Mark that disclosure B depends on A being fixed first
vault link <id_B> --depends-on <id_A>

# Check existing relationships
vault link <id>

Links are coordination signals, not cryptographic constraints. Each timelock still fires independently.

What You Can't Do

You cannot stop or delay the disclosure. The timelock is cryptographic and operates independently of all parties. Your role is to help coordinate a good outcome before the deadline arrives — not to control whether disclosure happens.

This is by design. The system removes any single party as a point of failure or pressure. Even coordinators cannot suppress disclosure. This protects the integrity of the coordination process.

For the Public

You're looking at a published vulnerability disclosure on vault.disclose.io. Here's what happened:

A security researcher found a vulnerability in a product or service.
They encrypted the details and set disclosure deadlines (a recommended deadline and a hard backstop).
The vendor was notified and given time to fix the issue.
At the deadline, the system automatically decrypted and published the report.

How to Verify a Disclosure

Every published disclosure includes:

Content hash (SHA-256) — proves the content wasn't modified after submission
drand round number — proves the timelock expired at the stated time
On-chain audit trail — shows the full timeline: when it was submitted, when the vendor acknowledged, any extensions requested

You can decrypt and verify any disclosure independently after the deadline:

# Decrypt a published disclosure
vault disclose <disclosure_id>

# Verify packet integrity (content hash, timelock status)
vault verify <disclosure_id>

# View the full on-chain audit trail
vault audit <disclosure_id>

What "Timelock Expired" Means

The report was encrypted to a specific point in the future using the drand distributed randomness beacon. When that point arrived, the drand network (operated by Cloudflare, Protocol Labs, EPFL, and 15+ other organizations) produced a cryptographic signature that served as the decryption key. No single party controlled this process.

Frequently Asked Questions

Can the researcher change the vulnerability details after submission?

No. The content is hashed (SHA-256) at submission time and the hash is stored on-chain. Any modification would produce a different hash. The content that was submitted is exactly the content that gets disclosed.

Can a court order stop disclosure?

No. The encrypted packet is stored on IPFS (distributed) and Arweave (permanent). There is no single operator to serve a court order to.

The drand beacon that triggers decryption is a distributed network across multiple jurisdictions. The system was designed specifically so that no legal mechanism targeting a single party can prevent disclosure.

What if the researcher is wrong about the vulnerability?

The system enforces the timeline, not the validity of the report. If the researcher submits an invalid or inaccurate report, it will still be disclosed at the deadline. The on-chain audit trail will show whether the vendor responded and disputed the findings. Researchers should use the vault responsibly — the immutable record works both ways.

Can the deadline be extended?

Yes. In v2 (dual-deadline) mode, extensions are cryptographically enforced. The content genuinely stays encrypted past the original recommended deadline when an extension is granted.

How it works: At submission, the researcher sets two deadlines. The recommended deadline is when they intend to publish. The hard deadline is the absolute backstop. Content is timelocked to the hard deadline on IPFS (immutable). A separate timelock of the content key is sent to the auto-publish worker at the recommended deadline.

When an extension is granted, the researcher creates a new content key timelock at the extended deadline and sends it to the worker. The old timelock is replaced. Since the old timelock was only in the worker’s private storage (never on IPFS), it’s gone — the content stays encrypted until the new recommended deadline.

The hard deadline is immutable. No extension can push past it. If the worker is compromised or offline, the hard-deadline tlock on IPFS fires regardless. The researcher chooses this gap at submission time based on the vulnerability’s risk profile.

Coercion resistance: An attacker who coerces extensions can only delay disclosure from the recommended deadline to the hard deadline — never beyond it. The hard deadline is set by the researcher at submission and cannot be changed.

What is drand?

drand (distributed randomness) is a network operated by the League of Entropy — organizations including Cloudflare, Protocol Labs, EPFL (Swiss Federal Institute of Technology), University of Chile, Kudelski Security, and others. It produces verifiable random numbers (beacon rounds) every 3 seconds. diovault uses these rounds as timelock triggers: data is encrypted such that only the beacon's signature for a future round can decrypt it.

What does the dead man's switch do?

The auto-publish worker at vault.disclose.io runs every 60 seconds. In v2 mode, it tries two paths: first, it attempts to decrypt the content key from the recommended-deadline timelock stored in its private KV. If that succeeds, it decrypts the content, verifies the hash, and publishes.

If the worker is offline or compromised, the hard-deadline timelock on IPFS fires independently — the full plaintext becomes decryptable by anyone. This two-layer approach means disclosure happens even if the researcher is offline, unreachable, or silenced, and even if the worker itself is taken down.

How much does it cost?

About $0.07 per disclosure. Base L2 transactions cost ~$0.01, Arweave permanent storage costs ~$0.05, and IPFS pinning and drand beacon queries are free. There are no tokens, DAOs, or governance overhead.

Is this open source?

Yes. Everything is Apache-2.0 licensed. The smart contract, CLI, worker, and web UI are all open source. The repository will be published at github.com/disclose when the project launches publicly.

What if the drand network stops?

The drand network is operated by 15+ independent organizations across multiple countries. For it to stop, all of them would have to cease operations simultaneously. This has never happened and is approximately as likely as the internet itself stopping. Even if drand experienced temporary disruption, rounds are produced retroactively when the network recovers.