How to Report a Vulnerability

Use This Form to Request Assistance From CERT/CC

The CERT Coordination Center (CERT/CC) strongly encourages researchers to attempt to report vulnerabilities directly to vendors before requesting assistance (and before public disclosure). Some vendors offer bug bounty programs.

CERT/CC does not accept or respond to every report. We prioritize reports that affect multiple vendors or that impact safety, critical or internet infrastructure, or national security. We also prioritize reports that affect sectors that are new to vulnerability disclosure. We may be able to provide assistance for reports when the coordination process breaks down.

Before reporting a vulnerability to us, we recommend reading our vulnerability disclosure policy and guidance. We send information submitted in vulnerability reports to affected vendors. Vulnerability reports for U.S. Government civilian web sites (i.e., .gov) will be forwarded to US-CERT for coordination within the government.

Begin Your Report

Please select the option below that most closely describes your request.

CVE ID Requests

To request a CVE ID, follow the CVE guidance. Although we are a CVE Numbering Authority (CNA), we typically only assign CVE IDs for vulnerability reports that we coordinate.

Other Reporting Channels

Report security incidents to IT support organizations, service providers, or to US-CERT.

To report suspected criminal activity, file a complaint with the FBI at IC3.

Vulnerabilities affecting industrial control systems can be reported to ICS-CERT.