Private · Invite-only

Offensive Research

Operations Platform

The private workspace for 0day researchers. Full vulnerability lifecycle, exploit vault, embargo enforcement — one platform, zero cloud dependencies.

7lifecycle states

v3.1+4CVSS scoring

100%self-hosted

orop — research workspace

Lifecycle states

Researching → Disclosed

CVSS versions

v3.1 & v4.0 built-in

15m

Presigned URL TTL

Files never through backend

1cmd

Full-stack deploy

docker compose up

Vulnerability lifecycle

From first crash to public disclosure

OROP enforces a typed state machine on every vulnerability. Transitions validated server-side — no accidental status skips.

Researching

PoC Ready

Reported

Under Embargo

CVE Assigned

Patched

Disclosed

CVSS v3.1 & v4.0

Built-in scoring calculator. Severity auto-derived from the highest available score. Vectors stored alongside the vuln.

Broker & sale tracking

Log broker, sale date, and sale price. Supports Crowdfense, Zerodium, ZDI, SSD, HackerOne, and direct.

Embargo enforcement

Set embargo_until on any vuln. Advisory publication and viewer access both respect the embargo window automatically.

Everything in one place

Built for 0day researchers

CVECVSSStatusBroker

CVE-2025-148929.8under_embargoCrowdfense

CVE-2025-093118.1poc_readyZDI

CVE-2025-004415.3researching—

0day Portfolio

Full vulnerability lifecycle with a validated state machine. CVSS v3.1 & v4.0 built in. Broker tracking, CVE-ID, embargo dates, co-authors per vuln.

Private by Design

Self-hosted — you own the data. JWT + TOTP 2FA. No telemetry, no third-party services.

Advisory Publication

Write and publish public advisories. Embargo enforcement, CVE linkage, public researcher profile.

.pyexploit_chrome_v8.py4.2 KB

.ckernel_lpe_arm64.c12.1 KB

.i64ida_analysis.i648.4 MB

.bincrash_dump_001.bin1.1 MB

Exploit Vault

Store .py, .c, binaries, IDA/Ghidra exports and crash dumps per operation. Short-lived presigned URLs — files never routed through the backend.

Operations & Teams

Scope every resource to an operation. Role-based access: op-admin, operator, viewer. Calendar tracks embargo and broker deadlines.

Live Markdown Workspace

Monaco-powered editor with Obsidian-style live preview. Headings, bold, italic, code and links render inline. Notes attach to vulnerabilities with full-text search.

# UAF in WebKit JSC

Triggered via Array.prototype.splice

with GC interleaving on…

**bold**_italic_`code`

Self-hosted stack

GoNext.js 16PostgreSQL 16Redis 7MinIODockerGinsqlxgolang-migrateNginxGoNext.js 16PostgreSQL 16Redis 7MinIODockerGinsqlxgolang-migrateNginx

React 19TypeScriptTailwindCSS v4shadcn/uiRadix UIMonaco Editorreact-hook-formZodjwt-goFramer MotionReact 19TypeScriptTailwindCSS v4shadcn/uiRadix UIMonaco Editorreact-hook-formZodjwt-goFramer Motion

Everything runs in Docker. docker compose up brings up the full stack. No external services, no cloud dependency.

Latest writing

Articles

All articles

Ready to start

Organize your research.
On your terms.

Your operations, vulnerabilities, notes and exploits — one private workspace, self-hosted.