How to Report a Vulnerability
We strongly encourage researchers to attempt to report vulnerabilities directly to vendors before requesting our assistance (and before public disclosure). Some vendors offer bug bounty programs.
Use the Vulnerability Report Form to request coordinated vulnerability disclosure assistance. Because our coordination capacity is limited, we have to prioritize our efforts to focus on cases meeting one or more of the following criteria:
- affect multiple vendors
- impact safety or critical infrastructure
- involve disagreement or dispute between reporters and vendors
- involve hard-to-reach or unresponsive vendors
- affect vendors or sectors that are new to software security and vulnerability disclosure
- require reporter anonymity
In addition to the above, we expect vulnerability reports to be technically accurate, sufficiently detailed, and reasonably complete. Reports that fail to meet the above criteria are likely to be declined for further coordination.
As our vulnerability disclosure policy explains, we send information submitted in vulnerability reports to affected vendors. Vulnerability reports for U.S. Government web sites will be forwarded to US-CERT for coordination within the government.
Begin Your Report
To begin your report, please select the option below that most closely describes your request.
Although we are a CVE Numbering Authority (CNA), we typically only assign CVE IDs for vulnerability reports where we are significantly involved in the coordination and disclosure process.
Other Reporting Channels
Security incidents like phishing should be reported to appropriate IT support organizations, service providers, or to US-CERT. If law enforcement is required, please file a complaint with the FBI at IC3. The CERT/CC is not a law enforcement organization and cannot assist with such investigations.
Vulnerabilities specific to industrial control systems can be reported to ICS-CERT.
Incidents or vulnerabilities affecting Japanese or other Asian-Pacific organizations can be reported to JPCERT/CC.