Our vulnerability submission policy is designed to achieve two main objectives:
Users can submit new vulnerabilities through [email protected] email. By submitting vulnerabilities, they agree to this Submission Policy.
Submissions must include the following details:
Providing detailed summaries, exploit details, screenshots, and videos helps expedite the validation process.
The moderation team aims for high-quality entries and data. This may require additional communication and validation time. If the standard disclosure timeline cannot be met, users will be informed of the new timeline via email.
Our coordinated disclosure process is as follows:
If a submission does not have an assigned CVE, Vulners will assign one following the general CNA Rules, provided it is not within another CNA's scope. If necessary, coordination with the relevant CNA will be undertaken, potentially causing delays.
All communications regarding submissions are conducted via email. Users will receive updates on the status of their submission and any decisions made by the moderation team.
All submission details and communications are confidential until the vulnerability is disclosed. If accepted, the submission details will become public. Rejected submissions remain confidential and inaccessible to the public.
Accepted submissions will result in a new entry being created, listing the submitting user as the researcher or submitter. Users can request anonymity.
If a third party disputes a vulnerability disclosure, they must provide a clear rationale and technical proof. Valid disputes will result in the entry being flagged accordingly. Vulners cannot dispute CVEs issued by other CNAs.
Submissions not qualified as new vulnerabilities will be rejected, with an explanation provided to the user. Common reasons include spam, false positives, and invalid data. Rejected entries are flagged, and any associated CVEs issued by Vulners will be revoked.
Users providing weak submissions or abusing the system may face decreased priority, temporary submission limits, or permanent blacklisting. Details of any limitations will be communicated via the email.
Vulners reserves the right to modify or deviate from this policy as necessary.