Before submitting a report, please be familiar with the preliminary instructions.
Contact information is not required, but we will be unable to communicate with you if you do not provide at least an email address. By default, we will provide your contact information to vendors, but you can choose for us not to do so.
If you wish to remain anonymous, please consider using a non-identifying, throw-away email account and an alias.
For encrypted email, we prefer PGP (but can support alternatives like S/MIME). If you'd like to use PGP, provide either your ASCII-armored public PGP key or a URL to the key.
For telephone, please include your country code if needed.
Unless there is a reason why you cannot do so, please attempt to contact vendors directly before requesting coordination assistance. If you are unable to reach the vendor, do not wish for the vendor to know who you are, disagree with the vendor, or are reporting a vulnerability that affects multiple vendors, we are more likely to accept your report.
Vendor Contact Information
Please describe any previous communications with vendors and provide contact information if possible.
If you believe that the vulnerability affects multiple vendors, please list them.
See our coordination request guidelines for more information about what we look for in a report.
Several of the Vulnerability Description fields are required. You can upload proof-of-concept code, screenshots, or other files in the next section.
Please let us know if you have any evidence of the vulnerability being publicly known or exploited. This information is important for prioritization.
If you plan to publicly disclose, please let us know your plans. Include dates, events, and other relevant information.
Please include any other comments you wish to share with us. These comments will not be shared with vendors.