Please report security vulnerabilities by going to the CVE Program web forms. Please include vulnerability details, steps to reproduce (e.g., proof-of-concept code, screenshots) and an assessment of the impact in your report. We appreciate concise and high quality reports.
- In the “Select a request type” drop down menu, please select “other”
- Enter your email address in the space provided
- You may enter a PGP key if you prefer to encrypt your correspondence
- In the “Type of comment” drop down menu, please select “Issue”
- In the textbox labeled “Please provide your question, issue, comment, etc.” please start the message with the following information:
- First Line: “CVE Service Security Anomaly Report”
- Second Line: “Distribution: CVE Service Development Team”
- Third Line: "Description: [Free Text description of the anomaly]”
- Enter the Security code
- Click “Submit Request”
The services in the CVE Services repository repository are in scope for reporting vulnerabilities.
We will release fixes and assign CVE IDs for verified security vulnerabilities. We expect to publish vulnerabilities using GitHub security advisories.
We appreciate the opportunity to investigate and develop fixes before public disclosure, following coordinated vulnerability disclosure practices.
For vulnerabilities that affect upstream dependencies, we can assist reporting and coordinating with the appropriate parties. We will not share your identification without your permission, but may share the other relevant parts of your report.