Reporting a vulnerability (CVD)
Have you discovered a vulnerability in a government system or in a system with a vital function? If you have, the golden rule is that you initially approach the owner of the system. You should only inform the NCSC if the organisation fails to respond or does not respond appropriately. We adopt the role of intermediary to resolve the vulnerability or weakness. Submitting this type of report is known as Coordinated Vulnerability Disclosure (CVD).
How can you submit a CVD report to us?
Please follow the procedure below:
- Complete the CVD-report form with your findings. This form will be sent automatically to firstname.lastname@example.org. To prevent the information from falling into the wrong hands, please use the NCSC’s PGP-key.
- Include sufficient information in your report to reproduce the problem, which helps to resolve the problem quickly. While it is usually sufficient to state the IP address or URL of the system affected and a description of the vulnerability, further details may be required for more complex vulnerabilities. In that case, we will get in touch with you.
- Provide at least your email address or telephone number so we can contact you.
- you submit your report as quickly as possible after discovering the vulnerability;
- you do not share information about the security problem with others until you hear from us or until it has been resolved;
- you handle knowledge about the security problem responsibly by not taking any action other than that needed to demonstrate the security problem.
Avoid irresponsible actions
Always avoid the following actions:
- installing malware;
- copying, changing or deleting data in a system. An alternative is creating a directory listing of a system;
- making changes to the system;
- repeatedly gaining access to the system or sharing access with others;
- using brute force in gaining access to a system;
- using Denial of Service or social engineering.
What does our CVD policy look like?
- If you submit a report in accordance with the procedure, we have no reason to take legal action as a result of your report. We will handle your report confidentially and will not share personal details with third parties without your consent, unless obliged to do so pursuant to a statutory provision or a legal ruling.
- We will only mention your name as the one who discovered the reported vulnerability with your consent.
- We will send you an acknowledgement of receipt within one working day. We will respond to a report within three working days with an assessment of the report and an expected resolution date. We will keep you, the reporting party, informed about the progress in resolving the problem.
- The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.
- The NCSC provides a reward by way of thanks for the assistance. Depending on the severity of the security problem and the quality of the report, the reward can vary from a T-shirt or a gift voucher to a maximum of €300. It must relate to a serious security problem of which the NCSC is not yet aware.