Coordinated Vulnerability Disclosure (CVD)
Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.
There are different ways to report a vulnerability.
Federal government assets
In the event that you have discovered a technical vulnerability in an IT system, application or hardware of the federal government, you should report the identified vulnerability to the NCSC using the form below. Please follow our common vulnerability disclosure policy to ensure compliant reporting.
In the event that you have found a vulnerability in an IT system or product that does not belong to the federal government but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first. You should only report your findings to the NCSC if the organisation does not provide an adequate response to the vulnerability. In this case, the NCSC will serve as an intermediary and bring the vulnerability to the attention of the affected organisation again.
If you have discovered a vulnerability in applications, software or hardware being used by Swiss companies, the NCSC - in its role as an CVE Numbering Authority (CNA) - may coordinate the publication of the relevant CVE.
Important note on CVE requirement:
To ensure a quicker processing of your CVE request, ensure that you have planned a public reference according to MITRE requirements. It should at minimum:
- Mention the vulnerability (at least CVE number + affected versions)
- Be accessible from the internet
To help speed-up the process, please create a draft in the «Vulnogram» and include the resutling JSON.
If the reported vulnerability affects a cloud service, make sur it is eligible under the 7.4.4. Requirements for Assigning a CVE ID . «The vulnerability requires customer or peer action to resolve».
How to submit a CVD report to us:
- Complete the form below including details of your discovery. Please include your PGP public key so that the NCSC can ensure immediate and secure communication with you.
- Provide as much information as possible to enable the vulnerability to be reproduced. This helps to speed up the process.
- For more complex vulnerabilities, the NCSC might need to communicate directly with you. Please provide at least an email address or phone number.
- For encrypted communication, use the PGP key of vulnerability [at] ncsc.ch.
Last modification 30.08.2023