The CERT/CC's primary method of communication is email. If we do not have an email address on file, we will attempt to find a contact email on your organization's website.
Emails usually will come to you from firstname.lastname@example.org, our general vulnerability reporting email, and will be PGP signed to provide verification that it is a true email from the CERT/CC. You may use our PGP key to verify the signature, and you may call our Hotline during business hours to verify the PGP key fingerprint. For more information on working with PGP, please see PGP and Encrypted Email.
You may also receive email directly from one of our analysts. Our analysts all use email addresses ending in @cert.org for official business. If there is any question on the authenticity of the message from someone claiming to be a CERT/CC employee, you may contact us to verify.
If email contact fails, we may attempt to establish contact with your organization via publicly-listed phone numbers, or social media such as Twitter and LinkedIn.
We may also send certified US Mail to your business address. For more information on our contact methodology, please see the blog post "Reach Out and Mail Someone".
As above, you can email us or call us to verify that this message was an official CERT/CC contact attempt; if available, please refer to the VU# when contacting us.
Once secure communication is established, we will forward a vulnerability report and any extra analysis we have done to your organization for review. Typically, this report will be PGP encrypted to a public key provided by your organization, unless the CERT/CC is requested to not encrypt details.
In some circumstances however, particularly when multiple vendors are involved, we reserve the right to refuse to send an un-encrypted vulnerability report, in order to protect the security of all parties involved.
Once you've established contact with us and received the reporter, please see Working with the CERT/CC for more information about what comes next.