Coordinated Vulnerability Disclosure (CVD)

Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.

There are different ways to report a vulnerability.

Federal government assets

In the event that you have discovered a technical vulnerability in an IT system, application or hardware of the federal government, you should report the identified vulnerability to the NCSC using the form below. Please follow our common vulnerability disclosure policy to ensure compliant reporting.

Non-government assets

In the event that you have found a vulnerability in an IT system or product that does not belong to the federal government but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first. You should only report your findings to the NCSC if the organisation does not provide an adequate response to the vulnerability. In this case, the NCSC will serve as an intermediary and bring the vulnerability to the attention of the affected organisation again.

CVE publication

If you have discovered a vulnerability in applications, software or hardware being used by Swiss companies, the NCSC - in its role as an CVE Numbering Authority (CNA) - may coordinate the publication of the relevant CVE.

Important note on CVE requirement:

To ensure a quicker processing of your CVE request, ensure that you have planned a public reference according to MITRE requirements. It should at minimum:

Mention the vulnerability (at least CVE number + affected versions)
Be accessible from the internet

To help speed-up the process, please create a draft in the «Vulnogram» and include the resutling JSON.

If the reported vulnerability affects a cloud service, make sur it is eligible under the 7.4.4. Requirements for Assigning a CVE ID . «The vulnerability requires customer or peer action to resolve».

How to submit a CVD report to us:

Complete the form below including details of your discovery. Please include your PGP public key so that the NCSC can ensure immediate and secure communication with you.
Provide as much information as possible to enable the vulnerability to be reproduced. This helps to speed up the process.
For more complex vulnerabilities, the NCSC might need to communicate directly with you. Please provide at least an email address or phone number.
For encrypted communication, use the PGP key of vulnerability [at] ncsc.ch.

PGP NCSC Vulnerability (ASC, 3 kB, 31.08.2021)E-Mail: vulnerability at ncsc.ch
Key ID: 0xBCBB3E225F16898A
Fingerprint: F25A B97C 779A 0C6A 0DE0 F356 BCBB 3E22 5F16 898A

SMIME NCSC Vulnerability (CER, 1 kB, 06.10.2022)E-Mail: vulnerability at ncsc.ch
Fingerprint: bc4563dc1e37b759cd83ffa72a0d4bed468340c2

Report vulnerabilities

Summary/keyword

*

Brief description of the vulnerability (max. 250 characters).

Description

*

Describe your observation in as much detail as possible to help us reproduce the problem and fix it as quickly as possible.

Impact

Describe the impact of the vulnerability. What is affected if the vulnerability is exploited?

Mitigation

If available, a mitigation approach can be described here.

File Upload

Please use ASCII-text (for example Markdown), pdf or png files for the documentation.

Framework conditions and rules

I accept the framework conditions and rules

*

Personal information (optional)

You can enter your personal information here. This will enable us to contact you if we have further questions.

Name

First name

Email

PGP-Key

You can attach your PGP public key here. Note: Use the .pgp extension for the PGP key file.

Phonenumber