Coordinated vulnerability disclosure (CVD)
Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.
There are different ways to report a vulnerability.
Federal government assets
In the event that you have discovered a technical vulnerability in an IT system, application or hardware of the federal government, you should report the identified vulnerability to the NCSC using the form below. Please follow our common vulnerability disclosure policy to ensure compliant reporting.
If you found vulnerabilities related to the COVID-19 certificate system or the Swiss COVID-19 proximity tracing system, please use the special reporting form.
In the event that you have found a vulnerability in an IT system or product that does not belong to the federal government but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first. You should only report your findings to the NCSC if the organisation does not provide an adequate response to the vulnerability. In this case, the NCSC will serve as an intermediary and bring the vulnerability to the attention of the affected organisation again.
If you have discovered a vulnerability in applications, software or hardware being used by Swiss companies, the NCSC - in its role as an CVE Numbering Authority (CNA) - may coordinate the publication of the relevant CVE.
How to submit a CVD report to us:
- Complete the form below including details of your discovery. Please include your PGP public key so that the NCSC can ensure immediate and secure communication with you.
- Provide as much information as possible to enable the vulnerability to be reproduced. This helps to speed up the process.
- For more complex vulnerabilities, the NCSC might need to communicate directly with you. Please provide at least an email address or phone number.
- For encrypted communication, use the PGP key of vulnerability [at] ncsc.ch.
Last modification 01.07.2022