- Reporter is new to coordination and disclosure and would like some guidance on reporting and disclosing vulnerabilities
- Vendor is new to coordination and disclosure; the vendor may be unreachable by the reporter, or the vendor may request guidance on handling the report and establishing operations for future reports
- Multiple vendors are suspected of being affected, and the reporter either has received no reply or is even unsure exactly who is affected
- Vendor and Reporter disagree on the existence or severity of a vulnerability; CERT/CC may be able to provide independent testing and analysis
In these cases you can contact the CERT/CC for assistance by using our Vulnerability Reporting Form.
Coordinating via CERT/CC
The best way to submit a report to the CERT/CC is via our Vulnerability Reporting Form.
When working with the CERT/CC, the process is typically very similar but with a few extra steps:
- Security researcher reports a vulnerability to the CERT/CC and requests coordination assistance
- CERT/CC analyzes the report, attempting to verify correctness of information, and deciding if will accept or decline to provide assistance
- CERT/CC may decline to assist in otherwise valid reports for many reasons: low severity, resource/time constraints, etc.
- If the report is accepted by the CERT/CC, then the CERT/CC will attempt to contact the vendor and report the vulnerability
- CERT/CC begins planning on public disclosure as a Vulnerability Note after 45 days from initial date of attempted contact, or another date negotiated with the reporter
- If the vendor replies, CERT/CC will work with the vendor to develop and test patches if necessary, as well as help notify any downstream vendors affected
- If the vendor does not reply, CERT/CC will attempt to alert downstream vendors prior to the disclosure date and then publish the Vulnerability Note after sending a reminder notice to the vendor
- If possible, CERT/CC and the vendor will provide the patch for the vulnerability to downstream vendors privately before public disclosure
- Prior to the publication date, a CVE ID is assigned by CERT/CC if necessary (unless the vendor is a CVE Naming Authority, in which case the vendor must assign a CVE ID).
- The draft Vulnerability Note and CVE ID are shared with the vendor and reporter for comments, typically 1-2 weeks before the publication date. In some scenarios, CERT/CC may decide not to publish, however.
- On the agreed-upon publication date, public security advisories are published, detailing the issue and how to obtain the patch or mitigate the issues. CERT/CC may publish a Vulnerability Note, and typically the vendor and/or the reporter will also publish their own advisories.
Please note that when a vulnerability is reported to the CERT/CC, we will begin to manage the process and timeline. We will take reporter's comments into our decision process, but by submitting a report, the reporter agrees that CERT/CC has final decision authority over any coordination and publishing on the CERT.ORG website, and agree to follow our Disclosure Policy by default. However, as the vulnerability reporter, you are the owner of the vulnerability information and are free to disclose it on your own at any time, if you wish.
Per our disclosure policy, we also reserve the right to change this process as necessary. As stated earlier, every case is somewhat unique and may require significant changes to the process depending on the information available.