The CERT/CC offers vulnerability coordination and disclosure services.
Misunderstanding, disagreement, or hard-to-reach vendor? Complicated supply chain, protocol vulnerability, multiple vendors involved? IoT, particularly with safety impact? Vendor is new to disclosure? Internet or other critical infrastructure affected? New or under-appreciated type of vulnerability? We can help.
XSS or CSRF in home router? Vulnerability affecting a single vendor with mature disclosure capabilities? Not so much, however we do recommend you make an attempt at coordinated disclosure.
We don't offer a bounty, just acknowledgement in our Vulnerability Notes __and a sense of altruism.
Please note: Currently we are not tracking reports using HackerOne and submitting a report will take you to our Vulnerability Reporting Form on cert.org. Our program is not meant for reports in cert.org web properties.
This program have been found on Hackerone on 2018-11-12.