News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Guidance
  4. How to report a vulnerability

How to report a vulnerability

A vulnerability is a weakness in software, hardware, or an online service. Malicious actors can exploit vulnerabilities to damage systems or access sensitive information.

If you discover a vulnerability in a product or service, report it to the organisation or individual responsible — often called the 'vendor'. If you need help contacting a vendor, the NCSC can support you.

If you’ve found a vulnerability 

Start by finding the right contact to report it to. The vendor — the person or organisation responsible for the product or service — is usually your first point of contact. You can often find their details in the following ways.

  • Check for a security.txt file on their website. This standard helps people report security issues. It’s usually located at http://[domain]/.well-known/security.txt. The file may include a PGP fingerprint, email address, and the vendor’s vulnerability disclosure policy.
  • Look on the vendor’s website. Check for the contact details on the privacy page, security policy, or IT support section. These pages often include reporting points for security issues.
  • Search the WHOIS database. WHOIS records show domain registration details, including email addresses like abuse@example.com. This can be a good first step if there’s no information on the vendor’s site.
  • Use an IP lookup tool. If you can’t reach the domain owner, try identifying the network provider linked to the website’s IP address. They may be able to pass on your report.

Search WHOIS details for .nz domains External Link    
Search WHOIS details for all other domains  External Link  
Securitytxt.org External Link    

What to put in your report 

The more relevant detail you include, the more helpful your report will be. But don’t try to prove the vulnerability by accessing sensitive data — that’s the vendor’s responsibility. If you’re concerned about a specific risk, explain it in your report so the vendor can investigate. At a minimum, your report should include:

  • the affected product or service, and its version,
  • the platform the product runs on, and
  • the likely impact if the vulnerability is exploited. 

If you know more — such as the kind of threat the vulnerability could pose — include that too. 

What not to do 

When preparing your report:

  • don’t make changes to the vendor’s data,
  • don’t copy, delete, or modify anything,
  • don’t access the system again once you’ve gathered what you need, and
  • don’t share details of the vulnerability or your access with anyone else.

It should go without saying, but never use your access to:

  • install malware,
  • carry out a denial-of-service (DoS) attack, or
  • attempt social engineering.

How to communicate a vulnerability 


Keep your report secure. Use PGP encryption or another secure method to send it to the vendor. 
If the vendor provides a PGP key, you can usually find it on a public key server — such as pgp.mit.edu. Always verify the PGP key’s fingerprint using a separate method. For example, if you received the key by email, check it against the fingerprint listed in:

  • the vendor’s security.txt file,
  • their website, and
  • your contact at the vendor.

If PGP isn’t available, you can also encrypt your report in a password-protected zip file using a strong algorithm. Share the password separately — by phone or SMS, not by email.

The NCSC can help you communicate with a vendor whose systems are affected, if:

  • you want to remain anonymous, or
  • you've tried to contact the vendor but haven't received a response.

We don't verify or investigate the report ourselves - we simply pass the information to the vendor. This process is called coordinated disclosure.

Making a coordinated vulnerability disclosure

After you’ve reported a vulnerability

Fixing a vulnerability takes time. Once you’ve sent your report, you might not hear back straight away — and that’s normal.

Avoid making the details public to prompt a response. Responsible disclosure means giving the vendor time to act.

If you don’t hear back within a few weeks, or you feel your report isn’t being taken seriously, contact us. We can work with you and the vendor to help ensure:

  • you get a response,
  • the vendor outlines their plans to fix the issue, and
  • you follow best practice if you choose to publish details and the vendor hasn’t responded.

 Report a vulnerability