Coordinated vulnerability disclosure (CVD)

Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.

There are different ways to report a vulnerability.

Federal government assets

In the event that you have discovered a technical vulnerability in an IT system, application or hardware of the federal government, you should report the identified vulnerability to the NCSC using the form below. Please follow our common vulnerability disclosure policy to ensure compliant reporting.

Non-government assets

In the event that you have found a vulnerability in an IT system or product that does not belong to the federal government but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first. You should only report your findings to the NCSC if the organisation does not provide an adequate response to the vulnerability. In this case, the NCSC will serve as an intermediary and bring the vulnerability to the attention of the affected organisation again.

CVE publication

How to submit a CVD report to us:

  • Complete the form below including details of your discovery. Please include your PGP public key so that the NCSC can ensure immediate and secure communication with you.
  • Provide as much information as possible to enable the vulnerability to be reproduced. This helps to speed up the process.
  • For more complex vulnerabilities, the NCSC might need to communicate directly with you. Please provide at least an email address or phone number.
  • For encrypted communication, use the PGP key of vulnerability [at] ncsc.ch.

PGP Key - vulnerability [at] ncsc.ch (ASC, 3 kB, 01.10.2021)Fingerprint:
F25A B97C 779A 0C6A 0DE0 F356 BCBB 3E22 5F16 898


Report vulnerabilities

*
Brief description of the vulnerability (max. 250 characters).
 
Description severity level see https://www.first.org/cvss/calculator/3.0.
*
Describe your observation in as much detail as possible to help us reproduce the problem and fix it as quickly as possible.
 
Describe the impact of the vulnerability. What is affected if the vulnerability is exploited?
 
If available, a mitigation apporach can be described here.
 
Please use ASCII-text (for example Markdown), pdf or png files for the documentation.
*

Personal information (optional)

You can enter your personal information here. This will enable us to contact you if we have further questions.

 
 
 
 
You can attach your PGP public key here.
 


Last modification 01.07.2022

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden.html