Skip to content

Initiating a Coordinated Vulnerability Disclosure Case

Sometimes, the hardest part of CVD is getting started. You might know about a vulnerability, but not know how to reach the vendor. Or you might be having trouble getting the vendor to respond. This section provides some advice on how to get the ball rolling.

  • Providing Useful Reports


    Reporting a vulnerability requires that the vulnerability is well-documented. This typically means providing high-quality and actionable information to the vendor or coordinator.

  • Finding Vendor Contacts


    Making initial contact with a vendor can sometimes be more difficult than it should be.

  • Unresponsive Vendor


    Sometimes, even when you can find contact informaiont for the vendor, not all vendors have established processes for receiving vulnerability reports.

  • Reduce Reporting Friction


    As a vendor, it is important to not treat reporters with suspicion or hostility. It's likely they have important information about your product, and they want to share it with you.