Vulnerability Analysis


We help engineers detect, eliminate, and avoid creating vulnerabilities in software.

Discussion of Heartbleed

Read our take on Heartbleed, and listen to technical staff from the SEI and Codenomicon discuss the impact of the Heartbleed bug.
Learn more about Heartbleed


Get timely information about vulnerability discovery, coordination, and disclosure.
Read the CERT/CC blog


Our discovery techniques help you understand how software vulnerabilities are created so you can learn how to avoid them.
Learn to avoid software vulnerabilities


Our comprehensive four-step process helps you learn how to remove vulnerabilities from your software.
Learn strategies for reducing vulnerability

The Vulnerability Analysis team helps engineers reduce security risks posed by software vulnerabilities by addressing the number of vulnerabilities in software that is being developed and in software that has already been deployed.

We help engineers learn how vulnerabilities are created and discovered.

We help engineers learn how to detect and eliminate—and eventually avoid—vulnerabilities in software products before the products are shipped.

We provide a process for coordinating vulnerabilities.

Our comprehensive vulnerability coordination process promotes best practices, provides guidance about making configuration or architecture changes, and outlines effective techniques for applying effective workarounds.

We collect information about vulnerabilities.

We collect reports of security vulnerabilities and serve as a coordinating body that works with affected vendors to resolve their software vulnerabilities.

We provide timely information about software vulnerabilities.

Our CERT Knowledgebase is a collection of internet security information related to incidents and vulnerabilities. You can access the knowledgebase to learn about reported security vulnerabilities.

Engage with Us

We can show you how to reduce security risks that result from software vulnerabilities.

Contact Us

Use our vulnerability reporting form to tell us if you have discovered an unresolved security vulnerability.

What Is a Vulnerability?

A vulnerability is a software defect that allows an attacker to violate an explicit (or implicit) security policy to achieve some impact (or consequence).

News & Announcements

Publications & Media

Our Take on the Heartbleed Bug
Will Dormann, a CERT vulnerability analyst, was interviewed by the media extensively to get his perspective on the Heartbleed bug. Read his input, and download the Vulnerability Note that lists which vendor sites are affected by the vulnerability and which vendors have posted patches.

Why Cybersecurity Is Not Like the Immune System
The idea of a cyber-immune system sometimes circulates through the community, but it seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. In this blog post, Jonathan Spring puts both ides in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were.

Updated CERT Fuzzing Tools
We have updated BFF V2.7 and FOE V2.1, the CERT Division's fuzzing tools, to include virtual machine changes.

Database of Known Software Vulnerabilities
The Vulnerability Notes Database provides timely information about software vulnerabilities and includes summaries, technical details, remediation information, and lists of affected vendors.