Submission Policy, Vulners


Our vulnerability submission policy is designed to achieve two main objectives:

Vulnerability Reporting

Users can submit new vulnerabilities through [email protected] email. By submitting vulnerabilities, they agree to this Submission Policy.

Submission Requirements

Submissions must include the following details:

Providing detailed summaries, exploit details, screenshots, and videos helps expedite the validation process.

Disclosure Timeline

Quality Control

The moderation team aims for high-quality entries and data. This may require additional communication and validation time. If the standard disclosure timeline cannot be met, users will be informed of the new timeline via email.

Coordinated and Responsible Disclosure

Our coordinated disclosure process is as follows:

CVE Assignment

If a submission does not have an assigned CVE, Vulners will assign one following the general CNA Rules, provided it is not within another CNA's scope. If necessary, coordination with the relevant CNA will be undertaken, potentially causing delays.


All communications regarding submissions are conducted via email. Users will receive updates on the status of their submission and any decisions made by the moderation team.


All submission details and communications are confidential until the vulnerability is disclosed. If accepted, the submission details will become public. Rejected submissions remain confidential and inaccessible to the public.

Acceptance and Publication

Accepted submissions will result in a new entry being created, listing the submitting user as the researcher or submitter. Users can request anonymity.

Handling Multiple Vulnerabilities


If a third party disputes a vulnerability disclosure, they must provide a clear rationale and technical proof. Valid disputes will result in the entry being flagged accordingly. Vulners cannot dispute CVEs issued by other CNAs.


Submissions not qualified as new vulnerabilities will be rejected, with an explanation provided to the user. Common reasons include spam, false positives, and invalid data. Rejected entries are flagged, and any associated CVEs issued by Vulners will be revoked.

Weak Submissions and Blacklisting

Users providing weak submissions or abusing the system may face decreased priority, temporary submission limits, or permanent blacklisting. Details of any limitations will be communicated via the email.

Policy Flexibility

Vulners reserves the right to modify or deviate from this policy as necessary.