Vulnerability Reporting Form Instructions
When you report a security vulnerability, we encourage you to complete our vulnerability report form in as much detail as possible. This allows us to better understand the vulnerability and process it more efficiently.
What Is a Vulnerability?
We broadly define a vulnerability as a software defect that allows an attacker to violate an explicit (or implicit) security policy to achieve some impact (or consequence). In particular, defects that allow intruders to gain increased levels of access or interfere with the normal operation of systems are vulnerabilities. Insecure configurations, design choices, and changing environmental conditions can also cause vulnerabilities. Note that we do not consider viruses, Trojan horse programs, and other malicious code to be vulnerabilities.
Your Contact Information
We only use your information to contact you if we have additional questions about this report and to publicly acknowledge you if you indicate that we may. We do not sell this information or share it outside the parameters described in the form.
- Name - Your full name. If you wish to remain anonymous, you may leave this field blank. However, we will also hold this information in confidence if you desire.
- Organization - The name of your organization.
- Email - Your email address. You may enter multiple addresses separated by commas. The top level domain of your email address (e.g., .com) will be used in statistical reports describing the origin of our vulnerability reports.
- Telephone - Your telephone number. Provide your preferred voice number first, followed by any other numbers separated by commas. Please include your country code, for example, +1 412-268-8907.
Providing Your Name to the Vendor
We encourage communication between vendors and their customers. When we forward a report to the vendor, we include the reporter's name unless the reporter has asked us not to. If you do not want the vendor to receive your name, please select the appropriate radio button.
When we publish documents, we often thank people for reporting vulnerabilities or for providing assistance as we researched the vulnerability. If we publish a document based on your report, we will acknowledge your contribution unless you request otherwise. If you do not want your name to appear on a document published in conjunction with this vulnerability, select the appropriate radio button.
Describe the vulnerability (or multiple vulnerabilities) in as much detail as you can. Include the following types of information:
- What do you know about the affected product, including its expected operation and how the vulnerability works? Try to distinguish between the portions of the report that you have confirmed and the portions that contain speculation.
- How can the vulnerability be exploited? In many cases, pointing to a publicly available exploit or a couple of commands will be sufficient. Sometimes, however, it may not be immediately clear how an intruder could create the circumstances necessary to exploit the vulnerability. Provide as much detail as you can. If you have first-hand knowledge that the vulnerability is being exploited, please describe how you know.
- How can users protect themselves? If the software vendor has already produced patches, include patch numbers or other definitive information about those patches. If you are aware of a simple way that system administrators can protect themselves (for example, by disabling the product), or you know the steps needed for a workaround, please share them. If the vulnerability is difficult to correct, we encourage you to include any suggestions you may have.
- What other information is available? Information about a vulnerability may be reported in a variety of sources (web pages, public mailing lists, newsgroups, etc.). This information is important because it may provide more detail than is included in this form. Provide pointers to any reports that you have seen (exploit scripts, public discussions of the vulnerability, recent intrusions involving the vulnerability, etc.).
Vulnerable System Configurations
Describe the system you know to be vulnerable. Include full product names, version numbers, and hardware architecture if possible. Please also list other systems that you believe are affected by the problem, but clearly identify those you have not actually tested. If you know of specific system configurations that are not vulnerable, list those as well.
Please explain how you discovered the vulnerability. We are interested in specific tools and frameworks and techniques such as fuzz testing, source code analysis, and reverse engineering.
Check this box if you have seen evidence suggesting that this vulnerability is being exploited.
Publicly Available Exploit
If you believe that an exploit for the vulnerability is available to a limited audience or to the internet at large, check this box. If you have a link to this exploit, please include it in the Vulnerability Description section.
The impact of a vulnerability describes how the vulnerability affects a system that is attacked. It may also describe what an intruder gains by exploiting the vulnerability. Include any information you have about what access the intruder must have to exploit the vulnerability. The following are examples of impact:
- A user with a local account can gain "root" privileges.
- Anyone who can send a packet to the system can crash the system.
- A user with "bin" group access can gain "root" user privileges.
- Users with access to XYZ can gain access to sensitive information.
- A user with a local account can circumvent memory quotas.
We encourage you to contact the vendor about this vulnerability and work with them to correct the problem. Vendors have the resources to address vulnerabilities in their products, and by contacting them directly, you ensure that they can begin work on the issue as soon as possible. If you have contacted the vendor regarding this vulnerability, please provide as much information as possible (the phone number and email address of the person you contacted, vulnerability tracking numbers, etc.).
- Vendor Name - What is the common name of the company that produces the product that contains the vulnerability?
- Contact Name - What is the name of the person you contacted at the vendor? Having the person's name allows us to coordinate with the vendor more effectively as we try to understand the vulnerability.
- Contact Email - What is the email address of the person you contacted at the vendor? If you do not know this address, provide a general or security-related address.
- Contact Phone - If you spoke about this vulnerability over the telephone with someone at the vendor, what telephone number did you use? Having this number allows us to contact the vendor as well.
- Vendor Tracking ID - If you were given a tracking number from the vendor regarding this vulnerability, please provide this number.
Additional Vendor Information
If there are multiple vendors involved, list them here. If you've spoken with someone at a vendor regarding this vulnerability, please indicate which vendor and tell us how they responded to your report. Do they plan to provide a patch, release a security update, or incorporate the fix into a new version? Provide as much detail as you can.
Upload a File
This feature allows you to upload one (1) file that relates to this vulnerability. This file may be output from your testing, evidence of exploitation, or anything else that you think might be helpful. If necessary, you may archive multiple files into a single file for submission.
CERT Tracking IDs
If you have already received one or more CERT Tracking IDs, please provide them so that we can associate your submission with the appropriate reports. CERT Tracking IDs must be of the form "VU#nnnnnn" where "n" is a digit from 0-9. Separate multiple IDs with either commas or semi-colons with an optional space. There is a maximum limit of ten (10) tracking IDs per report.
Please include anything else you would like to tell us about the vulnerability. Your comments on this form are also welcome.