How to Report a Vulnerability
We strongly encourage researchers to attempt to report vulnerabilities directly to vendors before requesting our assistance (and before public disclosure). Some vendors offer bug bounty programs.
We do not accept or respond to every report. We prioritize reports that affect multiple vendors or that impact safety, critical or internet infrastructure, or national security. We also prioritize reports that affect sectors that are new to vulnerability disclosure. We may be able to provide assistance for reports when the coordination process breaks down.
Before reporting a vulnerability to us, we recommend reading our vulnerability disclosure policy and guidance. We send information submitted in vulnerability reports to affected vendors. Vulnerability reports for U.S. Government civilian web sites (i.e., .gov) will be forwarded to US-CERT for coordination within the government.
Begin Your Report
Please select the option below that most closely describes your request.
CVE ID Requests
Other Reporting Channels
Report security incidents to IT support organizations, service providers, or to US-CERT.
To report suspected criminal activity, file a complaint with the FBI at IC3.
Vulnerabilities affecting industrial control systems can be reported to ICS-CERT.