The CERT/CC offers vulnerability coordination and disclosure services.

Misunderstanding, disagreement, or hard-to-reach vendor? Complicated supply chain, protocol vulnerability, multiple vendors involved? IoT, particularly with safety impact? Vendor is new to disclosure? Internet or other critical infrastructure affected? New or under-appreciated type of vulnerability? We can help.

XSS or CSRF in home router? Vulnerability affecting a single vendor with mature disclosure capabilities? Not so much, however we do recommend you make an attempt at coordinated disclosure.

We don't offer a bounty, just acknowledgement in our Vulnerability Notes and a sense of altruism.

For more information, please see our disclosure policy and wiki.

Please note: Currently we are not tracking reports using HackerOne and submitting a report will take you to our Vulnerability Reporting Form on cert.org. Our program is not meant for reports in cert.org web properties.