The US National Telecommunications and Information Administration (NTIA) is running a multi-stakeholder process about vulnerability disclosure. Part of this process involves surveys about how to improve awareness and adoption of coordinated vulnerability disclosure practices.
How to Report a Vulnerability
Use the Vulnerability Report Form to request coordinated vulnerability disclosure assistance. Please note that we do not accept every report that we receive. We are more likely to accept reports if they:
- are technically accurate, sufficiently detailed, and reasonably complete
- affect multiple vendors
- impact safety or critical infrastructure
- involve disagreement or dispute between reporters and vendors
- involve hard-to-reach or unresponsive vendors
- affect vendors or sectors that are new to software security and vulnerability disclosure
- require reporter anonymity
We strongly encourage researchers to attempt to report vulnerabilities directly to vendors before requesting our assistance (and before public disclosure). Some vendors offer bug bounty programs. A technically valid vulnerability is not sufficient reason for us to accept a report for coordination.
Before reporting a vulnerability, we recommend reading our vulnerability disclosure policy and guidance. We strongly encourage you to attempt to contact vendors or other, more appropriate, coordinators before asking us for assistance.
As our vulnerability disclosure policy explains, we send information submitted in vulnerability reports to affected vendors. Vulnerability reports for U.S. Government web sites will be forwarded to US-CERT for coordination within the government.
We are a CVE Numbering Authority and can issue CVE IDs for vulnerabilities that we coordinate. Please note that we typically do not assign CVE IDs unless we are significantly involved in the coordination and disclosure process. For "CVE-ID only" requests, we recommend contacting the CVE project directly.
Other Reporting Channels
Security incidents should be reported to appropriate IT support organizations, service providers, or to US-CERT.
Vulnerabilities specific to industrial control systems can be reported to ICS-CERT.
Incidents or vulnerabilities affecting Japanese or other Asian-Pacific organizations can be reported to JPCERT/CC.