Vulnerability Analysis

Wassenaar Arrangement and BIS Implementation Comments

Read our take on the Wassenaar Arrangement and the recently proposed BIS rules.
Read our comments

Vulnerability Analysis Team Wins Prestigious Award

The Vulnerability Analysis Team won the U.S. Government Information Security Leadership Award in the category of Most Valuable Industry Partner for its responsible coordinated disclosure strategy for software vulnerabilities.
Read more about the award

Vulnerability Reporting

We accept reports of security vulnerabilities and serve as a coordinating body that works with affected vendors to resolve vulnerabilities.
Report a vulnerability

Vulnerability Notes

Our Vulnerability Notes provide timely information about software vulnerabilities we have discovered or have learned about from other sources.
Explore our Vulnerability Notes database

CERT Tapioca

CERT Tapioca is a virtual machine appliance (OVA) for performing man-in-the-middle network traffic analysis of software and devices.
Download CERT Tapioca


Get timely information about vulnerability discovery, coordination, and disclosure.
Read the CERT/CC blog

Vulnerability Coordination

Using a comprehensive four-step process, we accept reported vulnerabilities, coordinate with vendors to eliminate them, and disclose them to protect users.
Learn how our process works

Open Source Tools

Our discovery tools help you find vulnerabilities in your software so that you can remove them before your software is released.
Download our tools

Our Mission: We collect, analyze, and validate emerging vulnerabilities to common computing platforms; we broadly notify operators of vulnerabilities as well as provide mitigation and remediation guidance.

The Vulnerability Analysis team helps to reduce security risks posed by software vulnerabilities by addressing the number of vulnerabilities in software that is being developed and in software that has already been deployed.

We help vendors learn how vulnerabilities are created and discovered.

We collaborate with software vendors and the researchers who discover defects in their products to support releasing vendor supported mitigations when vulnerabilities are disclosed publicly.

We provide guidance on improving the security of software.

We help organizations and individuals mitigate the impact of threats to their computing environments by providing timely guidance about the secure configuration of common operating platforms.

We publish information about vulnerabilities.

We publish Vulnerability Notes, which describe vulnerabilities we have discovered or have received from other sources.

We blog about software security.

We publish timely information about vulnerabilities and mitigation efforts on our CERT/CC blog.

Engage with Us

We can show you how to reduce security risks that result from software vulnerabilities.

Engage with Us

Use our vulnerability reporting form to tell us if you have discovered an unresolved security vulnerability.

What Is a Vulnerability?

A vulnerability is a software defect that allows an attacker to violate an explicit (or implicit) security policy to achieve some impact (or consequence).

News & Announcements

Publications & Media

Vulnerability Notes Database
Our Vulnerability Notes provide timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors.

Download CERT Tapioca
CERT Tapioca is a virtual machine appliance (OVA) for performing man-in-the-middle network traffic analysis of software and devices.

Finding Android SSL Vulnerabilities with CERT Tapioca
CERT Tapioca can be used for automated discovery of SSL vulnerabilities in Android applications.

Updated CERT Fuzzing Tools
We have updated BFF V2.7 and FOE V2.1, the CERT Division's fuzzing tools, to include virtual machine changes.