Framework conditions and rules

Follow these simple rules:

  • Do not discuss the security vulnerability you discovered with anyone other than the vendor, the system owner or us. Do not publicly disclose the vulnerability until the security issue has been fixed or until you have reached an agreement with us.
  • Do not repeatedly interact with the system. Once you have found the security vulnerability, report it and wait for our response.
  • Do not download, modify or delete any data from a system.
  • Do not make any changes to the system.
  • Do not attempt to gain access to a system using brute force or social engineering techniques. Do not use denial of service attacks.

What you can expect from our CVD programme:

  • If the vulnerability is submitted in compliance with the specified rules, NCSC.ch will not take legal action against you. Your details will be treated as confidential. You can send us your information anonymously.
  • We will mention your name as the person who discovered the vulnerability only with your consent.
  • You will receive an acknowledgement of receipt within 24 hours of disclosing the issue. You will receive an assessment report from us within five working days.
  • NCSC.ch will seek to rectify the security issue within 60 days of notification. You will receive regular progress updates. Once the issue has been resolved, we will decide on the means for public disclosure in consultation with the parties.

Last modification 03.06.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/scope-and-rules.html