How to Report a Vulnerability

We strongly encourage researchers to attempt to report vulnerabilities directly to vendors before requesting our assistance (and before public disclosure). Some vendors offer bug bounty programs.

Use the Vulnerability Report Form to request coordinated vulnerability disclosure assistance. Because our coordination capacity is limited, we have to prioritize our efforts to focus on cases meeting one or more of the following criteria:

  • affect multiple vendors
  • impact safety or critical infrastructure
  • involve disagreement or dispute between reporters and vendors
  • involve hard-to-reach or unresponsive vendors
  • affect vendors or sectors that are new to software security and vulnerability disclosure
  • require reporter anonymity

In addition to the above, we expect vulnerability reports to be technically accurate, sufficiently detailed, and reasonably complete. Reports that fail to meet the above criteria are likely to be declined for further coordination.

Before reporting a vulnerability to us, we recommend reading our vulnerability disclosure policy and guidance.

As our vulnerability disclosure policy explains, we send information submitted in vulnerability reports to affected vendors. Vulnerability reports for U.S. Government web sites will be forwarded to US-CERT for coordination within the government.

Begin Your Report

To begin your report, please select the option below that most closely describes your request.

CVE Assignment

Although we are a CVE Numbering Authority (CNA), we typically only assign CVE IDs for vulnerability reports where we are significantly involved in the coordination and disclosure process.

If you only need a CVE ID assignment for a vulnerability report, we recommend that you contact the appropriate product-specific CVE Numbering Authority, or the CVE project directly.

Other Reporting Channels

Security incidents like phishing should be reported to appropriate IT support organizations, service providers, or to US-CERT. If law enforcement is required, please file a complaint with the FBI at IC3. The CERT/CC is not a law enforcement organization and cannot assist with such investigations.

Vulnerabilities specific to industrial control systems can be reported to ICS-CERT.

Incidents or vulnerabilities affecting Japanese or other Asian-Pacific organizations can be reported to JPCERT/CC.