Coordinated Vulnerability Disclosure Program
Authorities
CISA has broad authority to detect, identify, and receive information "for a cybersecurity purpose about security vulnerabilities relating to critical infrastructure in information systems and devices." 6 U.S.C. 659(c)(12). Where a "security vulnerability" means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. 6 U.S.C 650(25). The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures. 6 U.S.C. 659(n).
Reporting a Vulnerability
To report a vulnerability for coordination, use the Vulnerability Information and Coordination Environment (VINCE), a secure platform hosted by our partners at Carnegie Mellon University’s Software Engineering Institute (SEI) and sponsored by CISA.
Note: The VINCE accepts anonymous reports; a reporter may create an account with an unidentifiable email and username to remain anonymous and still engage in case discussions. Keep in mind, anonymity limits engagement in case discussions.
Program Impact
The Coordinated Vulnerability Disclosure (CVD) Program is a key part of CISA's mission to protect critical infrastructure and bolster national cybersecurity. By identifying, addressing, and publicly disclosing cybersecurity vulnerabilities—known as CVEs (common vulnerabilities and exposures)—the program reduces risks to essential systems. CISA works with stakeholders to quickly share actionable mitigation strategies, limiting exploitation opportunities and improving cybersecurity resilience. This collaborative approach builds trust, transparency, and a stronger global cybersecurity ecosystem, ensuring the safety of vital infrastructure.
Overview
CISA plays a vital role in safeguarding national and economic security by coordinating the identification, remediation, and disclosure of cybersecurity vulnerabilities that pose risks to critical infrastructure. This coordination includes vulnerabilities affecting a broad spectrum of technologies such as:
- Operational technology (OT) and industrial control systems (ICS),
- Internet of things (IoT) devices,
- Medical devices,
- Open source software,
- Artificial intelligence (AI),
- and IT systems.
Through our Coordinated Vulnerability Disclosure (CVD) program, CISA facilitates the timely and synchronized dissemination of vulnerability information and associated mitigations. This process ensures that all relevant stakeholders—including vulnerability reporters, software manufacturers, maintainers, vendors, services providers—receive critical information simultaneously, thereby minimizing the window of exploitation and enabling rapid risk mitigation across diverse environments.
As an active participant in the CVE Program, CISA's CVD program operationalizes the CISA Top Level Root and the CVE Numbering Authority (CNA) of Last Resort responsibilities by assigning CVE identifiers for vulnerabilities reported to CISA. These functions strengthen the global vulnerability management ecosystem by promoting transparency, fostering trust amongst stakeholders, and supporting a coordinated, systematic response to cybersecurity risks affecting critical infrastructure. For more on CISA's role in the CVE Program, see the CVE program structure.

CISA’s See Something, Say Something blog
Cybersecurity researchers play a vital role in helping organizations tackle vulnerabilities and improve cybersecurity resilience. Find out how fostering this collaborative enhances vulnerability management and safeguards digital assets.
Subject Matter Experts
CISA relies on a network of internal and external subject matter experts to understand and address the diverse range of devices and technologies utilized across each of the 16 critical infrastructure sectors. These experts enable CISA to analyze a wide variety of technologies, provide crucial feedback, and tailor recommendations to the specific needs of each sector, technology, or device.
The Process
The CVD process includes five key steps:
- Collection. CISA gathers vulnerability reports from our own analysis, public sources, and direct submissions. We validate and catalog the information.
- Analysis. CISA and vendors assess the technical details and risks of the reported vulnerabilities.
- Mitigation Coordination. CISA works with vendors to develop and release patches or updates.
- Application of Mitigations. CISA ensures affected users have time to apply mitigations before public disclosure.
- Disclosure. CISA discloses the vulnerability to the public by issuing a CVE record and a public advisory, in coordination with relevant stakeholders—including vendors and reporters—to ensure effective sharing of accurate and actionable information.
Public Disclosure
CISA discloses vulnerabilities through multiple channels to ensure that users receive complete, accurate, and timely information about vulnerabilities and mitigations. Disclosure may include publishing a CVE Record, a comprehensive vulnerability advisory, and/or associated public messaging.
Disclosure Timeline
The timeline for disclosure may depend on factors including:
- Disclosure Status. Whether the vulnerability has been publicly disclosed or is actively exploited. For a list of known exploited vulnerabilities, refer to our KEV catalog.
- Potential Impact. The potential impact on critical infrastructure, national security, or public health.
- Vendor Responsiveness. In cases where a vendor is unresponsive or will not establish a reasonable timeframe for remediation, CISA may disclose vulnerabilities as early as 45 days after the initial attempt to contact the vendor is made, regardless of the availability of a patch or update.
- Mitigation Availability and Timeline. The timeline depends on whether mitigations are available and, if not, how long the vendor needs to create mitigations.
CVD and the Vulnerability Equities Process
Although CISA participates in the interagency Vulnerability Equities Process (VEP), vulnerabilities reported to CISA through the CVD process are not subject to VEP adjudication, per Section 5.4 of the VEP Charter.
Other CISA Disclosure Services
CISA launched the Vulnerability Disclosure Policy (VDP) Platform in July 2012 to ensure the promotion of good-faith community research for improved security and coordinated vulnerability disclosure across the Federal Civilian Executive Brand (FCEB). Learn more about the VDP.
Resources
Explore the following resources to learn more about CISA and CVD, CVD best practices, and how you can contribute:
CISA’s See Something, Say Something blog
The “See Something, Say Something” campaign is a cornerstone of public safety. It encourages people to report suspicious activity to the authorities who are best equipped to assess and handle the potential threat.
The SEI CERT Coordination Center’s CERT Guide to Coordinate Vulnerability Disclosure
This documentation is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability.
The CVE Program
The official platform for the CVE Program and provides a comprehensive catalog of publicly disclosed cybersecurity vulnerabilities to facilitate standardized identification and management across the global security community.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog
CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.
CISA’s Industrial Control System (ICS) Advisories
Concise summaries covering industrial control system (ICS) cybersecurity topics, primarily focused on mitigations that ICS vendors have published for vulnerabilities in their products.
CISA’s OASIS Common Security Advisory Framework (CSAF) Repository on GitHub
The purpose of this repository is to provide machine-readable security advisories using the OASIS Common Security Advisory Framework (CSAF) Version 2.0 standard for CISA's Information Technology (IT) and Operational Technology (OT) advisories.
OMB Memorandum: Improving Vulnerability Identification, Management, and Remediation
This memorandum provides Federal agencies with guidance for obtaining and managing their vulnerability research programs. Implementation will allow for the security research community ("reporters") to report vulnerability information.
Recommendations for Federal Vulnerability Disclosure Guidelines
This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities.
Contact
central@cisa.gov, 1-888-282-0870