Page History
...
- Search the web or the vendor's web site for relevant phrases
- "report a vulnerability"
- "security"
- "report a bug"
- "bug bounty"
- "vulnerability disclosure policy"
- "security@" + company name
- company name + "PSIRT"
- See if the vendor has a
security.txt
file, often found atwww.example.com/security.txt
(securitytxt.org , IETF Draft) - Check vulnerability disclosure / bug bounty service providers (BugCrowd, Synack, HackerOne, etc.) to find vendor contacts.
- Check the Forum of Incident Response and Security Teams (FIRST) member directory at https://www.first.org/members/teams/
- Check the CVE Numbering Authority list at https://cve.mitre.org/cve/request_id.html#cna_participants
- Search open source code repositories (Github, GitLab, SourceForge, etc.) to find developer contacts.
- If no direct contact information can be found, posting to the Issues page of a project asking how they'd like to receive vulnerability reports can be useful.
- Submit a bug report through the vendor's online bug tracker
- If given the option to mark it as security-related, please do so as this often restricts viewing to just the vendor.
- Reach out through social media (Twitter, LinkedIn, etc.) to request the vendor establish a direct communication channel
- We recommend you avoid posting vulnerability details in public when making initial contact when possible. For example, reporters might instead post an issue to a public bug tracker requesting that the vendor provide a secure method of communication instead of just posting the vulnerability details directly in a publicly visible issue.
- Try emailing commonly used addresses:
- support@, security@, abuse@, info@, sales@
- Fill out a generic support or "Contact Us" form
- Make a phone call to the vendor
...
Overview
Content Tools