search
menu
icon-carat-right
cmu-wordmark
×
Home
Notes
Search
Report a Vulnerability
Disclosure Guidance
VINCE
Carnegie Mellon University
Software Engineering Institute
CERT Coordination Center
Home
Notes
Search
Report a Vulnerability
Disclosure Guidance
VINCE
Home
Report
Current:
Vulnerability Reporting Form
Vulnerability Reporting Form
You are not logged in. If you have a VINCE account, please
login
before submitting this report.
If you do not have an account,
create an account
before submitting your report in order to view the status of your report and potentially assist in the coordination process.
Vulnerability Information
Have you attempted to contact the vendor?
*
Yes
No
Why have you not contacted the vendor directly?
I have not attempted to contact any vendors
I have been unable to find contact information for a vendor
Other
We strongly recommend attempting to contact vendors before filling out this form.
Submitting this form without further vendor status documentation may result in your report being treated with low priority or declined.
Please explain why you have not been able to contact the vendor.
Date of First Contact Attempt
Summary of previous vendor communications
What communications have you received from the vendor(s) so far? (max 20,000 chars)
Vendor Name
Do you believe multiple vendors are affected?
*
Yes
No
Please list the vendors, one vendor per line.
What is the name of the affected product or software?
*
This field will be used in the subject and/or body of an acknowledgment email from our system to help identify this report with its tracking number. Please DO NOT include any sensitive information in this field. Give the full product name such as "FooBar Router ABC1200" or "FooSoft Office."
What version number of the product or software is affected?
*
Please include the version number you tested, such as 1.2.4, if known; otherwise put "unknown." A version number, firmware version, builder number, or release date is helpful for identifying affected products.
Significant ICS/OT impact?
Related to AI/ML systems?
What is the vulnerability?
*
Please describe the vulnerability in sufficient technical detail. Include a proof of concept if possible. You may describe multiple vulnerabilities here rather than submitting multiple forms, if the vulnerabilities affect the same product. (max 20,000 chars)
How does an attacker exploit this vulnerability?
*
Explain access or other conditions necessary to attack. (max 20,000 chars)
What does an attacker gain by exploiting this vulnerability? (i.e. what is the impact?)
*
Additional privileges, etc. Please be specific as possible. (max 20,000 chars)
How was the vulnerability discovered?
*
Please note any specific tools or techniques used. (max 20,000 chars)
Is this vulnerability publicly known?
*
Yes
No
Please provide references (max 1000 chars)
Is there evidence that this vulnerability is being actively exploited?
*
Yes
No
Please provide references
Do you plan to publicly disclose this vulnerability yourself?
*
Yes
No
What are your public disclosure plans? (max 1000 chars)
Upload a File
You can upload one file limited to 10 MB. Please leave a note in the Private Comments below if you would like to make alternative arrangements to send files.
Choose a File
Your Contact Information
Name
The name of the person submitting this form. You may use a pseudonym, alias, or handle in place of your real name.
Organization
The name of the organization you are reporting on behalf of, if applicable.
Email address
Your personal email address. Consider creating a free webmail account if you do not wish to share your email address.
Do you want us to share your contact information with vendors?
*
We will share contact information with vendors unless otherwise specified.
Yes
No
Do you want to be acknowledged by name in any published document about this vulnerability?
*
If we publish a document based on this report, we will credit you unless otherwise specified.
Yes
No
Public PGP key
Optionally, if you would like to use PGP encrypted email, please include either your ASCII-armored PGP key or a URL to your key.
Tracking IDs
If you are following up with us regarding an existing VINCE Tracking ID, please enter it here.
Private Comments
Comments in this box will be kept private and will not be included in any publication or shared with vendors.
Coordination Preference
CISA Coordination
Submit
Create an Account
Sign In
Sponsored by
CISA.
Download PGP Key
Read CERT/CC Blog
Learn about Vulnerability Analysis