Framework conditions and rules

The discovery and reporting of vulnerabilities can have civil and criminal consequences. The associated risks can be reduced if you follow these rules:

When contacting the NCSC in a coordinated vulnerability disclosure case:

• Do not discuss the security vulnerability you have discovered with anyone other than the affected vendor, the respective system owner and the NCSC during the coordinated disclosure process.
• Do not publicly disclose the vulnerability until the affected parties have been given enough time to remedy it, or until you have reached an agreement with all the parties including the NCSC.
• Once you have reported a vulnerability to the NCSC, do not repeatedly interact with the affected system during the coordinated disclosure process.
• Do not leverage vulnerabilities to download, modify or delete any data beyond the minimum necessary actions to provide a proof of concept.
• Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to provide a proof of concept.
• Do not exfiltrate other users' data, use only your own account(s) for testing.
• Do not attempt to gain access to a system using brute force or social engineering techniques.
• Do not use denial of service attacks.
• Do not install malware or viruses.
• When possible, specify in your report what IP addresses you were using when you discovered the vulnerability, this will help assess potential exploitations and reducing false positive alerts.
• Communicate your intentions to the NCSC if you plan to disclose your findings publicly (advisory, conference talk, article, etc.).
  

What you can expect from our CVD programme:

• If a vulnerability affecting the federal government systems is submitted in compliance with the specified rules above and the reporter acts in good faith, without fraudulent intent nor intention to harm, the NCSC will not pursue civil or criminal action against you.
• You can choose to send your vulnerability reports anonymously to the NCSC.
• The NCSC will treat reports as confidential and will not share the personal data of the reporting parties or receiving organisation without their respective consent.
• Provided you have given your consent, we will credit you by name as the reporter of a vulnerability.
• You will receive an acknowledgement of receipt within 3 business days of disclosing the issue. The NCSC will triage the report within 5 business days.
• In the case of a vulnerability affecting the federal government, the NCSC will seek to coordinate a remedy within 60 days of notification.
• Depending on the organisation concerned and the nature of the vulnerability established, the NCSC will bring the vulnerability to the attention of the relevant organisation. However, the owner of the affected IT system remains responsible for the system and potential remediation activities.
• Wherever possible, the NCSC will keep the reporting party informed of developments and the remedy for the vulnerability.
• In the event of a CVE publication, the NCSC will coordinate disclosure with all involved parties.
• Currently, the NCSC CVD programme does not offer any recompense to reporters.