Coordinated Vulnerability Disclosure Program

Authorities

CISA has broad authority to detect, identify, and receive information "for a cybersecurity purpose about security vulnerabilities relating to critical infrastructure in information systems and devices." 6 U.S.C. 659(c)(12). Where a "security vulnerability" means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. 6 U.S.C 650(25). The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures. 6 U.S.C. 659(n).

Reporting a Vulnerability

To report a vulnerability for coordination, use the Vulnerability Information and Coordination Environment (VINCE), a secure platform hosted by our partners at Carnegie Mellon University’s Software Engineering Institute (SEI) and sponsored by CISA. 

Note: The VINCE accepts anonymous reports; a reporter may create an account with an unidentifiable email and username to remain anonymous and still engage in case discussions. Keep in mind, anonymity limits engagement in case discussions.

Submit A Vulnerability

Program Impact

The Coordinated Vulnerability Disclosure (CVD) Program is a key part of CISA's mission to protect critical infrastructure and bolster national cybersecurity. By identifying, addressing, and publicly disclosing cybersecurity vulnerabilities—known as CVEs (common vulnerabilities and exposures)—the program reduces risks to essential systems. CISA works with stakeholders to quickly share actionable mitigation strategies, limiting exploitation opportunities and improving cybersecurity resilience. This collaborative approach builds trust, transparency, and a stronger global cybersecurity ecosystem, ensuring the safety of vital infrastructure.

Overview

CISA plays a vital role in safeguarding national and economic security by coordinating the identification, remediation, and disclosure of cybersecurity vulnerabilities that pose risks to critical infrastructure. This coordination includes vulnerabilities affecting a broad spectrum of technologies such as:

• Operational technology (OT) and industrial control systems (ICS),
• Internet of things (IoT) devices,  
• Medical devices,
• Open source software,
• Artificial intelligence (AI),
• and IT systems. 

Through our Coordinated Vulnerability Disclosure (CVD) program, CISA facilitates the timely and synchronized dissemination of vulnerability information and associated mitigations. This process ensures that all relevant stakeholders—including vulnerability reporters, software manufacturers, maintainers, vendors, services providers—receive critical information simultaneously, thereby minimizing the window of exploitation and enabling rapid risk mitigation across diverse environments. 

As an active participant in the CVE Program, CISA's CVD program operationalizes the CISA Top Level Root and the CVE Numbering Authority (CNA) of Last Resort responsibilities by assigning CVE identifiers for vulnerabilities reported to CISA. These functions strengthen the global vulnerability management ecosystem by promoting transparency, fostering trust amongst stakeholders, and supporting a coordinated, systematic response to cybersecurity risks affecting critical infrastructure. For more on CISA's role in the CVE Program, see the CVE program structure.

Subject Matter Experts

CISA relies on a network of internal and external subject matter experts to understand and address the diverse range of devices and technologies utilized across each of the 16 critical infrastructure sectors. These experts enable CISA to analyze a wide variety of technologies, provide crucial feedback, and tailor recommendations to the specific needs of each sector, technology, or device.

The Process

The CVD process includes five key steps:

1. Collection. CISA gathers vulnerability reports from our own analysis, public sources, and direct submissions. We validate and catalog the information.
2. Analysis. CISA and vendors assess the technical details and risks of the reported vulnerabilities.
3. Mitigation Coordination. CISA works with vendors to develop and release patches or updates.
4. Application of Mitigations. CISA ensures affected users have time to apply mitigations before public disclosure.
5. Disclosure. CISA discloses the vulnerability to the public by issuing a CVE record and a public advisory, in coordination with relevant stakeholders—including vendors and reporters—to ensure effective sharing of accurate and actionable information.

Public Disclosure

CISA discloses vulnerabilities through multiple channels to ensure that users receive complete, accurate, and timely information about vulnerabilities and mitigations. Disclosure may include publishing a CVE Record, a comprehensive vulnerability advisory, and/or associated public messaging.

Disclosure Timeline

The timeline for disclosure may depend on factors including:

• Disclosure Status. Whether the vulnerability has been publicly disclosed or is actively exploited. For a list of known exploited vulnerabilities, refer to our KEV catalog.
• Potential Impact. The potential impact on critical infrastructure, national security, or public health.
• Vendor Responsiveness. In cases where a vendor is unresponsive or will not establish a reasonable timeframe for remediation, CISA may disclose vulnerabilities as early as 45 days after the initial attempt to contact the vendor is made, regardless of the availability of a patch or update.
• Mitigation Availability and Timeline. The timeline depends on whether mitigations are available and, if not, how long the vendor needs to create mitigations.

CVD and the Vulnerability Equities Process

Although CISA participates in the interagency Vulnerability Equities Process (VEP), vulnerabilities reported to CISA through the CVD process are not subject to VEP adjudication, per Section 5.4 of the VEP Charter.

Other CISA Disclosure Services

CISA launched the Vulnerability Disclosure Policy (VDP) Platform in July 2012 to ensure the promotion of good-faith community research for improved security and coordinated vulnerability disclosure across the Federal Civilian Executive Brand (FCEB). Learn more about the VDP.