Introduction

VulnCheck Report A Vulnerability makes it easy to Report a vulnerability to VulnCheck to be responsibly disclosed

VulnCheck is committed to making it as easy as possible to report a vulnerability to be responsibly disclosed.

Report A Vulnerability

Vulncheck makes it easy to report a vulnerability at https://vulncheck.com/advisories/report.

Multi-Lingual Support

VulnCheck’s vulnerability reporting service received a number of requests for additional language support. We’ve updated our vulnerability reporting service to support English, Nederlands (Dutch), Русский (Russian), 简体中文 (Simplified Chinese), 繁體中文 (Traditional Chinese), 한국어 (Korean), and فارسی (Persian/Farsi). We plan on expanding support for additional languages soon.

Why Report a Vulnerability to VulnCheck?

VulnCheck works directly with researchers to coordinate disclosure and manage communications with affected suppliers. This minimizes the time and effort you spend navigating disclosure processes while ensuring vulnerabilities are handled responsibly and consistently. All of this is done while ensuring proper credit is given to the researcher.

How Does VulnCheck’s Report a Vulnerability Service Work?

Simply submit the technical details of your vulnerability to VulnCheck. We do not require a specific format and aim to keep initial questions to a minimum. That said, providing thorough technical detail helps us validate the issue and proceed efficiently.

Once submitted, VulnCheck will handle the disclosure process and keep you informed at every stage. You may submit a report via: Web portal Email: disclosures@vulncheck.com

What Information Is Needed When Reporting a Vulnerability?

Submissions can range from a public reference to an unidentified vulnerability to a full technical report with reproduction steps and proof of concept. At a minimum, we ask for enough information to either populate a CVE record or initiate coordination with the supplier.

When using the web form, you will be asked to provide:

  • Vendor name
  • Product name
  • Affected and tested version(s)
  • Vulnerability details: a clear description of the issue, its impact, and exploitation method, including reproduction steps and a proof of concept if available
  • Whether you would like VulnCheck to coordinate disclosure on your behalf
  • Whether you previously requested CVEs from MITRE without response
  • Whether the vulnerability has already been publicly disclosed (with references, if applicable)
  • Whether you plan to publish your findings on or after the coordinated disclosure date

Here is an example of a comprehensive CVD submission presented in a format that enables us to go quickly from intake to vendor outreach:

What Timeline Should I Expect From VulnCheck?

You should expect an analyst to engage with you within 1 business day.

  • CVE assignments for publicly disclosed issues or already-coordinated cases often occur within hours.
  • For coordinated disclosures, VulnCheck’s average time from initial report to public disclosure is approximately 48 days, well within our 120-day disclosure policy.

Will VulnCheck Assign a CVE?

Yes. After appropriate coordination, VulnCheck will issue a CVE directly or work with the most appropriate CVE Numbering Authority, depending on scope and ownership.

What If My Vulnerability Is Already Public and I Only Need a CVE ID?

VulnCheck is a CVE Numbering Authority and can issue a CVE ID directly or coordinate assignment as needed.

Does VulnCheck Offer a Bounty Payout?

No. VulnCheck does not provide financial incentives for vulnerability submissions.

Are There Instances Where VulnCheck Will Not Perform Disclosure?

There are limited circumstances in which VulnCheck will decline to coordinate disclosure:

  • Not CVE-eligible
    • We can help determine eligibility, but we do not coordinate disclosure for issues that do not qualify for CVE assignment.
  • Unable to reproduce the issue
    • If neither VulnCheck nor the supplier can validate the vulnerability after reasonable attempts, the case may be closed.
  • Embargo violations
    • If a researcher breaches an agreed embargo, VulnCheck may decline future coordination.
  • Unethical or unauthorized discovery
    • Vulnerabilities identified through testing on production systems without authorization will not be coordinated.

Is VulnCheck’s ‘Report a Vulnerability’ Service Legally Binding?

No - this service does not have any legal authority. We adhere to our Vulnerability Disclosure Policy. Participants are expected to respect mutual embargoes during coordinated disclosure. Researchers may choose to break an embargo at any time; however, VulnCheck reserves the right to refuse future service in such cases.

FAQ

Open Source