Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.
There are different ways to report a vulnerability.
Federal government assets
In the event that you have discovered a technical vulnerability in an IT system, application or hardware of the federal government, you should report the identified vulnerability to the NCSC using the form below. Please follow our common vulnerability disclosure policy to ensure compliant reporting.
If you found vulnerabilities related to the COVID-19 certificate system or the Swiss COVID-19 proximity tracing system, please use the special reporting form.
In the event that you have found a vulnerability in an IT system or product that does not belong to the federal government but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first. You should only report your findings to the NCSC if the organisation does not provide an adequate response to the vulnerability. In this case, the NCSC will serve as an intermediary and bring the vulnerability to the attention of the affected organisation again.