Griffin Zero proposes the upstream patch, runs the maintainer's test suite, drafts the disclosure thread, manages the 90-day window, and coordinates CVE-ID assignment with the appropriate authority. The whole chain — from internal finding to public advisory — runs as a workflow.
A candidate zero-day surfaces in an internal triage queue. The right action is to coordinate with the upstream maintainer, ship a patch, run their tests, file a CVE, and publish an advisory after a customer-protection window. The wrong action — and the common one — is to wing it.
Without tooling, each step is ad-hoc: a Slack thread, a copy-pasted patch, a vendor email that goes unanswered for weeks, a CVE filing form that loses fields between sessions. The 90-day clock starts before the workflow does.
The Griffin Zero workflow makes the steps explicit. Patch first, then maintainer outreach with the patch and test results attached, then the disclosure clock, then the advisory — with the CVE ID either pre-allocated or filed through the appropriate authority.
Cold-emailing an upstream maintainer with a vulnerability report often gets no response. Patches in hand and test results pre-run change the response rate dramatically.
Without an explicit timer, the disclosure window drifts. The advisory either goes out too early (no upstream patch) or too late (window expired weeks ago).
A patch that breaks the maintainer's test suite gets bounced. Pre-running the upstream tests before sending the patch shortens the merge cycle from weeks to days.
Different ecosystems, different authorities (CVE.org, CERT-In, ENISA), different forms. Manual filing burns days; automated filing closes the loop in hours.
On a confirmed candidate, the Griffin Zero variant drafts an upstream patch with version-pinned compatibility notes and the minimum-diff principle.
The patch is run against the maintainer's declared test suite in an isolated environment; failing cases are corrected before the patch is sent.
Maintainer-outreach email plus the patch + test evidence pre-composed; tenant reviewer ratifies before sending. Tone tuned to the project's contribution culture.
Where applicable, ID requests file through CVE.org, the relevant CNA, or CERT-In automatically; ID assignment auto-attaches to the finding.
Finding ratified by tenant reviewer; Griffin Zero workflow opens with full evidence bundle attached.
Griffin Zero proposes the upstream patch under the maintainer's contribution conventions; minimum-diff principle applied.
Patch executed against the declared test suite in an isolated builder; failures corrected and re-run before the patch ships.
Drafted email with patch + test evidence sent via the maintainer's declared channel; 90-day window starts on send.
Patch merged upstream; CVE ID requested via the appropriate authority; tenant customers notified per disclosure policy.
On window close (or earlier with maintainer consent), advisory publishes with the full evidence record, signed and timestamped.
Pairs with zero-day-discovery for the candidate source, the Griffin family for the patch engine, and research for the disclosure policy reference.
Bring an old confirmed finding and we'll run it through the workflow end-to-end as a dry-run before live disclosure.