Important note: ZeroSSL is <i>not</i> a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].<p>As a non-CA, ZeroSSL isn't required to provide an incident report or revoke any certificates like the researcher is requesting. Fortunately, their bad security can only impact their own customers, in contrast to a CA whose bad security can affect everyone.<p>[1] see <a href="https://www.agwa.name/blog/post/the_certificate_issuer_field_is_a_lie" rel="nofollow">https://www.agwa.name/blog/post/the_certificate_issuer_field...</a>
ZeroSSL left an uncanny impression on me when for some reason acme.sh developers made them default instead of Let's Encrypt. This prompted me to switch to a different client (just in case of further worsening of Let's Encrypt support by acme.sh).
Before 2020, ZeroSSL used to be a browser-based acme client using Lets Encrypt. I don't doubt that money was involved, and they switched to Comodo (now Sectigo), with no notice that I could think of. I used them for a few one-off certificates, but this rug-pull caught me off guard. I'd happily watch if they go down in this dumpster fire.