Coordinated vulnerability disclosure (CVD)

Vulnerabilities in the «COVID-19 certificate system»

For vulnerabilities in the «COVID-19 certificate system», please use our special reporting form.

Vulnerabilities in the «SwissCovid Proximity Tracing System»

For vulnerabilities in the «SwissCovid Proximity Tracing System», please use our special reporting form.

General vulnerabilities

Have you discovered a vulnerability in IT systems of the Swiss government or in critical infrastructure systems? Or have you discovered a vulnerability in commercially available applications, software or hardware? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the National Center for Cybersecurity ( can act as an intermediary to resolve such security issues. You can use the following coordinated vulnerability disclosure (CVD) formular to provide us with the information.

How can you submit a CVD report to us?

  • Complete the form below with the details of your discovery. Include your PGP public key so that we can ensure immediate and secure communication with
  • Provide as much information as possible to enable the vulnerability to be reproduced. This helps to speed up the problem-solving process.
  • For more complex vulnerabilities, we will probably need to communicate directly with you. Please provide at least an email address or phone number.
  • You can use the PGP key of vulnerability [at]

PGP Key - vulnerability [at] (ASC, 3 kB, 01.10.2021)Fingerprint:
F25A B97C 779A 0C6A 0DE0 F356 BCBB 3E22 5F16 898

Report test results

Brief description of the vulnerability (max. 250 characters).
Description severity level: see below on this page.
Describe your observation in as much detail as possible to help us reproduce the problem and fix it as quickly as possible.
Describe the impact of the vulnerability. What is affected if the vulnerability is exploited?
If available, a mitigation apporach can be described here.
Please use ASCII-text (for example Markdown), pdf or png files for the documentation.

Personal information (optional)

You can enter your personal information here. This will enable us to contact you if we have further questions.

You can attach your PGP public key here.

Definition severity level 

The severity level can be determined using the Common Vulnerability Scoring System (CVSS). The FIRST (Forum of Incident Response and Security Teams) website provides an interactive tool for this purpose:

Critical (CVSS v3 score: 9.0-10.0): Critical incidents typically do not require any interaction by the person targeted. Accordingly, an attacker does not need any special knowledge about a target. Remote code execution is typical for a critical incident. Repercussions include the outflow of personal data or the loss of anonymity.

High (CVSS v3 score 7.0-8.9): User actions (social engineering) are necessary for successful exploitation. The attacker can thus gain extensive privileges. Repercussions can include data outflows here too.

Medium (CVSS v3 score: 4.0-6.9): Only limited access is gained in the event of exploitation. Moreover, the attacker must be in the same system as the victim. Data is not affected or only to a limited extent.

Low (CVSS v3 score: 0.1-3.9): Functionality and data are not affected. Layout errors and spelling mistakes are also in this category.


Last modification 06.12.2021

Top of page