Coordinated Vulnerability Disclosure (CVD)

Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware impacting Switzerland and want to report it? There are different ways to report a vulnerability.

If the vulnerability impacts an IT system, application or hardware of the Federal Administration, you should report the vulnerability to the NCSC using the form below. Please follow our  common vulnerability disclosure policy to ensure compliant reporting.

If you have found a vulnerability in an IT system or product that does not belong to the Federal Administration, but which impacts Switzerland as a country, the vulnerability should always be reported to the owner of the system or the product supplier first.

You should only report your findings to the NCSC If you cannot find a point of contact or if the affected party does not provide an adequate response to the vulnerability.

In this case, the NCSC will serve as an intermediary to bring the vulnerability to the attention of the affected party again and attempt to get the issue resolved.

If you have discovered a vulnerability in software or hardware being used by Swiss companies, the NCSC -  in its role as an CVE Numbering Authority (CNA) - may coordinate the publication of the relevant CVE.

Important note on CVE requirement:

To ensure a quicker processing of your CVE request, mention if a public reference to the vulnerability exists or if it has been planned by you or the vendor according to MITRE requirements. It should at least:

• Mention the vulnerability (including the planned or existing CVE ID ) and the versions of the product affected by the vulnerability
• Be publicly accessible and should not require registration or login

In accordance with the Federal law on information security, the NCSC may publish information relating to vulnerabilities, indicating the software or hardware impacted, this could also be used as a CVE reference under certain conditions (Art. 73c, al 1., al 2.).

To help speed-up the process, please create a CVE draft in the «Vulnogram» , export it as JSON and attach it to your submission.

If the reported vulnerability affects a cloud service, make sure it is eligible under the 7.4.4. Requirements for Assigning a CVE ID . «The vulnerability requires customer or peer action to resolve.».

• Complete the form below including details of your discovery. Please include your PGP public key so that the NCSC can ensure timely and secure communication with you.
• For reports on systems that do not belong to the Federal Administration, confirm that you have tried to get in contact with the affected parties and document the point of contact in the appropriate fields.
• Mention if your request is related to a CVE publication, in such case attach a draft and let us know if the publication of a reference is all-ready planned (see important note on CVE requirements).
• Provide as much information as possible for the NCSC to reproduce the vulnerability or at least assess the validity based on the report.
• The NCSC might need to communicate directly with you during the handling of a case. Please provide at least an email address (you can still communicate with us anonymously).
• For encrypted communication, use the PGP key of vulnerability [at] ncsc.ch.