CINXE.COM

Vulnerability Disclosure Policy - European Commission

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8" /> <meta name="description" content="Learn how to test and report on vulnerabilities identified in the Commission&#039;s communication and information systems, as described in its disclosure policy" /> <meta name="keywords" content="cybersecurity, data protection" /> <meta http-equiv="content-language" content="en" /> <link rel="canonical" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" /> <meta property="og:determiner" content="auto" /> <meta property="og:site_name" content="European Commission" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" /> <meta property="og:title" content="Vulnerability Disclosure Policy" /> <meta property="og:description" content="Learn how to test and report on vulnerabilities identified in the Commission&#039;s communication and information systems, as described in its disclosure policy" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:title" content="Vulnerability Disclosure Policy" /> <meta name="twitter:description" content="Learn how to test and report on vulnerabilities identified in the Commission&#039;s communication and information systems, as described in its disclosure policy" /> <meta name="twitter:url" content="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" /> <meta property="og:image" content="https://commission.europa.eu/profiles/contrib/ewcms/modules/ewcms_seo/assets/images/ec-socialmedia-fallback.png" /> <meta property="og:image:alt" content="European Commission" /> <meta name="twitter:image" content="https://commission.europa.eu/profiles/contrib/ewcms/modules/ewcms_seo/assets/images/ec-socialmedia-fallback.png" /> <meta name="twitter:image:alt" content="European Commission" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="application/json">{"service":"etrans","renderAs":false,"user":"European Commission","exclude":".ecl-site-header__language-item,.ecl-site-header__language-selector,.toolbar","languages":{"source":"en","available":["bg","es","cs","da","de","et","el","en","fr","ga","hr","it","lv","lt","hu","mt","nl","pl","pt","ro","sk","sl","fi","sv"]},"config":{"live":false,"mode":"lc2023","targets":{"receiver":"#webtools-etrans"}}}</script> <script type="application/json">{"service":"preview","position":"before"}</script> <link rel="icon" href="/profiles/contrib/ewcms/themes/ewcms_theme/images/favicons/ec/favicon.ico" type="image/vnd.microsoft.icon" /> <link rel="alternate" hreflang="bg" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_bg" /> <link rel="alternate" hreflang="es" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_es" /> <link rel="alternate" hreflang="cs" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_cs" /> <link rel="alternate" hreflang="da" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_da" /> <link rel="alternate" hreflang="de" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_de" /> <link rel="alternate" hreflang="et" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_et" /> <link rel="alternate" hreflang="el" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_el" /> <link rel="alternate" hreflang="en" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" /> <link rel="alternate" hreflang="fr" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_fr" /> <link rel="alternate" hreflang="ga" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_ga" /> <link rel="alternate" hreflang="hr" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_hr" /> <link rel="alternate" hreflang="it" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_it" /> <link rel="alternate" hreflang="lv" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_lv" /> <link rel="alternate" hreflang="lt" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_lt" /> <link rel="alternate" hreflang="hu" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_hu" /> <link rel="alternate" hreflang="mt" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_mt" /> <link rel="alternate" hreflang="nl" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_nl" /> <link rel="alternate" hreflang="pl" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_pl" /> <link rel="alternate" hreflang="pt-pt" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_pt" /> <link rel="alternate" hreflang="ro" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_ro" /> <link rel="alternate" hreflang="sk" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sk" /> <link rel="alternate" hreflang="sl" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sl" /> <link rel="alternate" hreflang="fi" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_fi" /> <link rel="alternate" hreflang="sv" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sv" /> <link rel="icon" href="/profiles/contrib/ewcms/themes/ewcms_theme/images/favicons/ec/favicon.svg" type="image/svg+xml" /> <link rel="apple-touch-icon" href="/profiles/contrib/ewcms/themes/ewcms_theme/images/favicons/ec/favicon.png" /> <title>Vulnerability Disclosure Policy - European Commission</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_E0trLxjZ08xx2-bYUIk8bNOOHgg-8aEs08g5lQle1oI.css?delta=0&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_mLUE_thb5nTPavpXGawZfMrskTEgPqunVakABR6iV7w.css?delta=1&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> <link rel="stylesheet" media="print" href="/sites/default/files/css/css_bK35D3_dPyjb_dlLObCCrt97zQ63u--0DEvXDOkmxKY.css?delta=2&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_jMGhpbv_6M-gylIQY0UUqVmjj-r9d-ggiKhhqt43n6I.css?delta=3&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> <link rel="stylesheet" media="print" href="/sites/default/files/css/css_b9FJ_v0CYWKDGP5uXcYLv1GutQmplJrV5UzLhHMSyUU.css?delta=4&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_HARlYiESO-_6hCwZV1CscsX-NvA5_Ax4xNwR0a5Axzs.css?delta=5&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxtTe0KwyAMfCGpjySpzdowTYKJbL79ZLSUwX4cHPcpmPzAijFLVWFkT4XWBm0kzMGGOda4gmGQK6mN2AO-crVTeRCWLeHbsTGURFn4xz_5UNkb6DH-mLPic6DPeiF-WlBo8E1b3FpXKMutLJ21r4XswC2YQp3gCG60n8fXpUhx0g_wOltU" /> </head> <body class="language-en ecl-typography path-node page-node-type-landing-page"> <a href="#main-content" class="ecl-link ecl-link--primary ecl-skip-link" id="skip-id" >Skip to main content</a> <div id="cck_here"></div> <script type="application/json">{"utility":"globan","theme":"light","logo":true,"link":true,"mode":false}</script> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <header class="ecl-site-header " data-ecl-auto-init="SiteHeader" > <div class="ecl-site-header__background"> <div class="ecl-site-header__header"> <div class="ecl-site-header__container ecl-container"> <div class="ecl-site-header__top" data-ecl-site-header-top> <a class="ecl-link ecl-link--standalone ecl-site-header__logo-link" href="https://commission.europa.eu/index_en" aria-label="Home - European Commission" data-aria-label-en="Home - European Commission" > <picture class="ecl-picture ecl-site-header__picture" title="European&#x20;Commission" ><source srcset="/themes/contrib/oe_theme/dist/ec/images/logo/positive/logo-ec--en.svg" media="(min-width: 996px)" ><img class="ecl-site-header__logo-image" src="/themes/contrib/oe_theme/dist/ec/images/logo/logo-ec--mute.svg" alt="European Commission logo" ></picture> </a> <div class="ecl-site-header__action"> <div class="ecl-site-header__language"><a class="ecl-button ecl-button--tertiary ecl-site-header__language-selector" href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" data-ecl-language-selector role="button" aria-label="Change language, current language is English - en" aria-controls="language-list-overlay" ><span class="ecl-site-header__language-icon"><svg class="ecl-icon ecl-icon--s ecl-site-header__icon" focusable="false" aria-hidden="false" role="img"><title >en</title><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#global"></use></svg></span>en</a><div class="ecl-site-header__language-container" id="language-list-overlay" hidden data-ecl-language-list-overlay aria-labelledby="ecl-site-header__language-title" role="dialog"><div class="ecl-site-header__language-header"><div class="ecl-site-header__language-title" id="ecl-site-header__language-title" >Select your language</div><button class="ecl-button ecl-button--tertiary ecl-site-header__language-close ecl-button--icon-only" type="submit" data-ecl-language-list-close ><span class="ecl-button__container"><span class="ecl-button__label" data-ecl-label="true">Close</span><svg class="ecl-icon ecl-icon--m ecl-button__icon" focusable="false" aria-hidden="true" data-ecl-icon><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#close"></use></svg></span></button></div><div class="ecl-site-header__language-content" data-ecl-language-list-content ><div class="ecl-site-header__language-category" data-ecl-language-list-eu><ul class="ecl-site-header__language-list"><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_bg" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="bg" ><span class="ecl-site-header__language-link-code">bg</span><span class="ecl-site-header__language-link-label" lang="bg">български</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_es" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="es" ><span class="ecl-site-header__language-link-code">es</span><span class="ecl-site-header__language-link-label" lang="es">español</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_cs" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="cs" ><span class="ecl-site-header__language-link-code">cs</span><span class="ecl-site-header__language-link-label" lang="cs">čeština</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_da" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="da" ><span class="ecl-site-header__language-link-code">da</span><span class="ecl-site-header__language-link-label" lang="da">dansk</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_de" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="de" ><span class="ecl-site-header__language-link-code">de</span><span class="ecl-site-header__language-link-label" lang="de">Deutsch</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_et" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="et" ><span class="ecl-site-header__language-link-code">et</span><span class="ecl-site-header__language-link-label" lang="et">eesti</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_el" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="el" ><span class="ecl-site-header__language-link-code">el</span><span class="ecl-site-header__language-link-label" lang="el">ελληνικά</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link ecl-site-header__language-link--active" hreflang="en" ><span class="ecl-site-header__language-link-code">en</span><span class="ecl-site-header__language-link-label" lang="en">English</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_fr" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="fr" ><span class="ecl-site-header__language-link-code">fr</span><span class="ecl-site-header__language-link-label" lang="fr">français</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_ga" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="ga" ><span class="ecl-site-header__language-link-code">ga</span><span class="ecl-site-header__language-link-label" lang="ga">Gaeilge</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_hr" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="hr" ><span class="ecl-site-header__language-link-code">hr</span><span class="ecl-site-header__language-link-label" lang="hr">hrvatski</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_it" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="it" ><span class="ecl-site-header__language-link-code">it</span><span class="ecl-site-header__language-link-label" lang="it">italiano</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_lv" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="lv" ><span class="ecl-site-header__language-link-code">lv</span><span class="ecl-site-header__language-link-label" lang="lv">latviešu</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_lt" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="lt" ><span class="ecl-site-header__language-link-code">lt</span><span class="ecl-site-header__language-link-label" lang="lt">lietuvių</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_hu" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="hu" ><span class="ecl-site-header__language-link-code">hu</span><span class="ecl-site-header__language-link-label" lang="hu">magyar</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_mt" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="mt" ><span class="ecl-site-header__language-link-code">mt</span><span class="ecl-site-header__language-link-label" lang="mt">Malti</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_nl" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="nl" ><span class="ecl-site-header__language-link-code">nl</span><span class="ecl-site-header__language-link-label" lang="nl">Nederlands</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_pl" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="pl" ><span class="ecl-site-header__language-link-code">pl</span><span class="ecl-site-header__language-link-label" lang="pl">polski</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_pt" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="pt" ><span class="ecl-site-header__language-link-code">pt</span><span class="ecl-site-header__language-link-label" lang="pt">português</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_ro" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="ro" ><span class="ecl-site-header__language-link-code">ro</span><span class="ecl-site-header__language-link-label" lang="ro">română</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sk" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="sk" ><span class="ecl-site-header__language-link-code">sk</span><span class="ecl-site-header__language-link-label" lang="sk">slovenčina</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sl" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="sl" ><span class="ecl-site-header__language-link-code">sl</span><span class="ecl-site-header__language-link-label" lang="sl">slovenščina</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_fi" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="fi" ><span class="ecl-site-header__language-link-code">fi</span><span class="ecl-site-header__language-link-label" lang="fi">suomi</span></a></li><li class="ecl-site-header__language-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_sv" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-site-header__language-link" hreflang="sv" ><span class="ecl-site-header__language-link-code">sv</span><span class="ecl-site-header__language-link-label" lang="sv">svenska</span></a></li></ul></div></div></div></div> <div class="ecl-site-header__search-container" role="search"> <a class="ecl-button ecl-button--tertiary ecl-site-header__search-toggle" href="" data-ecl-search-toggle="true" aria-controls="oe-search-search-form" aria-expanded="false" ><svg class="ecl-icon ecl-icon--s ecl-site-header__icon" focusable="false" aria-hidden="true" role="img"><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#search"></use></svg>Search </a> <form class="ecl-search-form ecl-site-header__search" role="search" action="/legal-notice/vulnerability-disclosure-policy_en" method="post" id="oe-search-search-form" accept-charset="UTF-8" data-ecl-search-form ><div class="ecl-form-group"><label for="edit-keys" id="edit-keys-label" class="ecl-form-label ecl-search-form__label" >Search</label><input id="edit-keys" class="ecl-text-input ecl-text-input--m ecl-search-form__text-input form-search ecl-search-form__text-input" name="keys" type="search" ></div><button class="ecl-button ecl-button--ghost ecl-search-form__button ecl-search-form__button" type="submit" ><span class="ecl-button__container"><svg class="ecl-icon ecl-icon--xs ecl-button__icon" focusable="false" aria-hidden="true" data-ecl-icon><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#search"></use></svg><span class="ecl-button__label" data-ecl-label="true">Search</span></span></button><input data-drupal-selector="form-p9f2z54fyawrqnab5ko9h69hemx1kmzdfy8qgfvszqu" type="hidden" name="form_build_id" value="form-P9f2Z54fYAwrqNaB5Ko9H69HEMx1kmZDFY8QGfVSZqU" /><input data-drupal-selector="edit-oe-search-search-form" type="hidden" name="form_id" value="oe_search_search_form" /></form> <script type="application/json">{"service":"search","results":"in","form":".ecl-search-form","lang":"en","key":"europa_default"}</script> </div> </div> </div> </div> </div> </div> <div id="block-ewcms-theme-horizontal-menu"> </div> </header> <div class="ecl-u-mb-2xl" id="block-ewcms-theme-page-header"> <div class="ecl-page-header" ><div class="ecl-container"><nav class="ecl-breadcrumb ecl-page-header__breadcrumb" aria-label="You&#x20;are&#x20;here&#x3A;" aria-label="" data-ecl-breadcrumb="true" ><ol class="ecl-breadcrumb__container"><li class="ecl-breadcrumb__segment" data-ecl-breadcrumb-item="static"><a href="/index_en" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-breadcrumb__link" >Home</a><svg class="ecl-icon ecl-icon--fluid ecl-breadcrumb__icon" focusable="false" aria-hidden="true" role="presentation"><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#corner-arrow"></use></svg></li><li class="ecl-breadcrumb__segment" data-ecl-breadcrumb-item="static"><a href="/legal-notice_en" class="ecl-link ecl-link--standalone ecl-link--no-visited ecl-breadcrumb__link" >Legal notice</a><svg class="ecl-icon ecl-icon--fluid ecl-breadcrumb__icon" focusable="false" aria-hidden="true" role="presentation"><use xlink:href="/themes/contrib/oe_theme/dist/ec/images/icons/sprites/icons.svg#corner-arrow"></use></svg></li><li class="ecl-breadcrumb__segment ecl-breadcrumb__current-page" data-ecl-breadcrumb-item="static" aria-current="page"><span>Vulnerability Disclosure Policy</span></li></ol></nav><div class="ecl-page-header__info"><h1 class="ecl-page-header__title"><span>Vulnerability Disclosure Policy</span></h1></div></div></div> </div> <main class="ecl-u-pb-xl" id="main-content" data-inpage-navigation-source-area="h2.ecl-u-type-heading-2, div.ecl-featured-item__heading"> <div class="ecl-container"> <div class="ecl-row"> <div class="ecl-col-s-12 ewcms-top-sidebar"> <div> <div data-drupal-messages-fallback class="hidden"></div> </div> </div> </div> <div class="ecl-row"> <div class="ecl-col-s-12"> <div id="block-ewcms-theme-main-page-content" data-inpage-navigation-source-area="h2, div.ecl-featured-item__heading" class="ecl-u-mb-l"> <article dir="ltr"> <div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40227"></a> <h2 class="ecl-u-type-heading-2">Introduction</h2> <div class="ecl"><p>At the European Commission, the security of our Communication and Information Systems is a top priority, in line with&nbsp;<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017D0046">Commission Decision EC 2017/46</a>.</p> <p>However, vulnerabilities can never be completely eliminated, despite best efforts. When vulnerabilities are identified and exploited, it puts at risk the confidentiality, integrity or availability of the European Commission's systems and the information processed therein.</p> <p>This vulnerability disclosure policy describes what systems and types of tests are authorised and how to send vulnerability reports. We encourage you to contact us to report potential security issues in our systems by following this policy.</p></div> </div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40874"></a> <h2 class="ecl-u-type-heading-2">Authorisation</h2> <div class="ecl"><p>If you are acting in good faith to identify and report vulnerabilities on European Commission systems, while complying with this policy we will work with you to understand and resolve the issues quickly.<br> The European Commission will not pursue legal action related to your activities of identifying vulnerabilities on our systems as long as you follow the guidelines in this policy.</p></div> </div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40228"></a> <h2 class="ecl-u-type-heading-2">Scope</h2> <div class="ecl"><p>This policy applies to all internet facing systems from the European Commission, including</p> <ul> <li>the entire European Commission’s web presence <ul> <li>*.ec.europa.eu/*</li> <li>*.commission.europa.eu/*</li> </ul> </li> <li>public IPs advertised under ASN 42848, and attached services</li> <li>any other software published by the European Commission</li> </ul> <p>Any services not expressly listed above are excluded from the scope and are not authorised for testing.<br> Moreover, vulnerabilities found in systems from vendors are also excluded from scope and should be reported directly to the vendor according to their own disclosure policy (if applicable).</p></div> </div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40229"></a> <h2 class="ecl-u-type-heading-2">Guidelines</h2> <div class="ecl"><h3>While carrying out your activities, it is imperative that you</h3> <ul> <li>do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data</li> <li>only use harmless exploits to confirm that a vulnerability is present</li> <li>do not reveal any data downloaded during the discovery to the public or any other parties</li> <li>do not reveal the vulnerability or problem to the public or other parties until it has been resolved</li> <li>stop your tests when you discover any sensitive information (Personally Identifiable Information – PII, medical, financial, proprietary information or trade secrets) and notify us immediately and do not disclose any obtained data to anyone else</li> </ul> <h3>Do not perform the following actions</h3> <ul> <li>place malware (virus, worm, Trojan horse, etc.) on any system</li> <li>compromise any systems using exploits to gain full or partial control</li> <li>copy, modify or delete data from the system</li> <li>make changes to the system</li> <li>repeatedly access the system or share access with the public other parties</li> <li>use any access obtained to attempt to access other systems</li> <li>change access rights of other users</li> <li>use automated scanning tools</li> <li>use a so-called “brute force” attack to access any systems</li> <li>use denial-of-service or social engineering (phishing, vishing, spam, etc.)</li> <li>use attacks on physical security</li> </ul></div> </div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40230"></a> <h2 class="ecl-u-type-heading-2">Reporting a vulnerability</h2> <div class="ecl"><h3>What we would like to see from you</h3> <p>If you have identified a vulnerability, please</p> <ul> <li>e-mail your findings as soon as possible to <span class="spamspan" data-spamspan-class="ecl-link"><span class="u">EC-VULNERABILITY-DISCLOSURE</span><img class="spamspan-image" alt="at" src="/modules/contrib/spamspan/image.gif"><span class="d">ec<span class="o"> [dot] </span>europa<span class="o"> [dot] </span>eu</span><span class="t"> (EC-VULNERABILITY-DISCLOSURE[at]ec[dot]europa[dot]eu)</span></span>, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem</li> <li>encrypt your findings using our <a href="https://ec.europa.eu/assets/digit/pgpkey/ec-vulnerability-disclosure-pgp.txt" class="ecl-link">PGP key</a> to prevent this critical information from falling into the wrong hands</li> <li>provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code</li> <li>provide your report in English preferably, or in any other official language of the European Union</li> </ul></div> </div> <div class="ecl-u-mb-2xl"> <a id="paragraph_40231"></a> <div class="ecl"><h3>What you can expect from us</h3> <p>In return, we promise the following when you report a vulnerability to us, that is to</p> <ul> <li>respond to your report within three (3) business days with our evaluation of the report</li> <li>handle your report with strict confidentiality</li> <li>where possible, inform you when the vulnerability has been remedied</li> <li>process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission</li> <li>publish your name as the discoverer of the problem, if you have agreed to this in your initial e-mail, when and if we disclose the problem publicly</li> </ul></div> </div> </div> </article> </div> </div> </div> <div class="ecl-row"> <div class="ecl-col-s-12"> <div> <div id="block-ewcms-theme-socialshare"> <div class="ecl-social-media-share"> <p class="ecl-social-media-share__description"> Share this page </p> <script type="application/json">{"service":"share","version":"2.0","networks":["twitter","facebook","linkedin","email","more"],"display":"icons","stats":true,"selection":true}</script> </div> </div> </div> </div> </div> </div> </main> <div id="block-ewcms-theme-pagefeedbackform"> <script type="application/json">{"service":"dff","id":"mKCuJxpV_dff_v2","lang":"en","version":"2.0"}</script> </div> <footer class="ecl-site-footer ecl-site-footer--split-columns" data-logo-area-label-en="Home&#x20;-&#x20;European&#x20;Commission" ><div class="ecl-container ecl-site-footer__container"><div class="ecl-site-footer__row"><div class="ecl-site-footer__column"><div class="ecl-site-footer__section"><a href="https://commission.europa.eu/index_en" class="ecl-link ecl-link--standalone ecl-site-footer__logo-link" ><picture class="ecl-picture ecl-site-footer__picture" title="European&#x20;Commission" ><source srcset="/themes/contrib/oe_theme/dist/ec/images/logo/negative/logo-ec--en.svg" media="(min-width: 996px)" ><img class="ecl-site-footer__logo-image" src="/themes/contrib/oe_theme/dist/ec/images/logo/negative/logo-ec--en.svg" alt="European Commission logo" ></picture></a><div class="ecl-site-footer__description">This site is managed by:<br />Directorate-General for Communication</div></div></div><div class="ecl-site-footer__column"><div class="ecl-site-footer__section ecl-site-footer__section--separator"><ul class="ecl-site-footer__list ecl-site-footer__list--columns"><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/strategy_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Strategy" >Strategy</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/about-european-commission_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="About&#x20;the&#x20;European&#x20;Commission" >About the European Commission</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/business-economy-euro_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Business,&#x20;Economy,&#x20;Euro" >Business, Economy, Euro</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/live-work-travel-eu_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Live,&#x20;work,&#x20;travel&#x20;in&#x20;the&#x20;EU" >Live, work, travel in the EU</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/law_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Law" >Law</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/funding-tenders_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Funding,&#x20;Tenders" >Funding, Tenders</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/research-and-innovation_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Research&#x20;and&#x20;innovation" >Research and innovation</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/energy-climate-change-environment_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Energy,&#x20;Climate&#x20;change,&#x20;Environment" >Energy, Climate change, Environment</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/education_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Education" >Education</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/aid-development-cooperation-fundamental-rights_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Aid,&#x20;Development&#x20;cooperation,&#x20;Fundamental&#x20;rights" >Aid, Development cooperation, Fundamental rights</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/food-farming-fisheries_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Food,&#x20;Farming,&#x20;Fisheries" >Food, Farming, Fisheries</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/eu-regional-and-urban-development_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="EU&#x20;regional&#x20;and&#x20;urban&#x20;development" >EU regional and urban development</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/jobs-european-commission_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Jobs&#x20;at&#x20;the&#x20;European&#x20;Commission" >Jobs at the European Commission</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/statistics_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Statistics" >Statistics</a></li><li class="ecl-site-footer__list-item"><a href="https://ec.europa.eu/commission/presscorner/home/en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Press&#x20;Corner" >Press Corner</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/events_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Events" >Events</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/publications_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="class_navigation" data-footer-link-label="Publications" >Publications</a></li></ul></div><div class="ecl-site-footer__section"><ul class="ecl-site-footer__list"><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/about-european-commission/contact_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="service_navigation" data-footer-link-label="Contact&#x20;the&#x20;European&#x20;Commission" >Contact the European Commission</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/accessibility-statement_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-is-accessibility-link="true" >Accessibility</a></li><li class="ecl-site-footer__list-item"><a href="https://european-union.europa.eu/contact-eu/social-media-channels_en#/search?page=0&amp;institutions=european_commission" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="service_navigation" data-footer-link-label="Follow&#x20;the&#x20;European&#x20;Commission&#x20;on&#x20;social&#x20;media" >Follow the European Commission on social media</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/resources-partners_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="service_navigation" data-footer-link-label="Resources&#x20;for&#x20;partners" >Resources for partners</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/legal-notice/vulnerability-disclosure-policy_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="service_navigation" data-footer-link-label="Report&#x20;an&#x20;IT&#x20;vulnerability" >Report an IT vulnerability</a></li></ul></div><div class="ecl-site-footer__section"><ul class="ecl-site-footer__list"><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/languages-our-websites_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="legal_navigation" data-footer-link-label="Languages&#x20;on&#x20;our&#x20;websites" >Languages on our websites</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/cookies_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="legal_navigation" data-footer-link-label="Cookies" >Cookies</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/privacy-policy_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="legal_navigation" data-footer-link-label="Privacy&#x20;policy" >Privacy policy</a></li><li class="ecl-site-footer__list-item"><a href="https://commission.europa.eu/legal-notice_en" class="ecl-link ecl-link--standalone ecl-link--inverted ecl-site-footer__link" data-section-label-untranslated="legal_navigation" data-footer-link-label="Legal&#x20;notice" >Legal notice</a></li></ul></div></div></div></div></footer> </div> <script type="application/json">{"utility":"piwik","siteID":"0ccd2154-5091-4eff-83f3-1b423f81600c","sitePath":["commission.europa.eu"],"instance":"ec","dimensions":[{"id":3,"value":"Landing Page"},{"id":4,"value":"cybersecurity data-protection"},{"id":5,"value":"Directorate-General-for-Communication"},{"id":6,"value":"Vulnerability Disclosure Policy"},{"id":7,"value":"2bbdb661-0737-4eba-83e9-ecb86d3797cc"},{"id":8,"value":"EC - CORE"},{"id":9,"value":"cybersecurity data-processing data-protection information-policy"}]}</script> <script type="application/json">{"utility":"cck"}</script> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/30306","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en","urlSuffixes":["bg","es","cs","da","de","et","el","en","fr","ga","hr","it","lv","lt","hu","mt","nl","pl","pt","ro","sk","sl","fi","sv","ar","ca","is","lb","no","tr","ru","uk","zh","sw","he","ja"]},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxTrustedUrl":{"form_action_p_pvdeGsVG5zNF_XLGPTvYSKCf43t8qZYSwcfZl2uzM":true},"user":{"uid":0,"permissionsHash":"cba3110261ccc4cd2f2834d1ff2caeb969cefcaec065dc43ab970f003788644f"}}</script> <script src="/sites/default/files/js/js_x9GNcqgb-6GQKoUs9Zvu6f8g9AnMm1D89ka5AZAh2CM.js?scope=footer&amp;delta=0&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxVjeEKg0AMg1_IzUcqtXZ60Gul7el8-x1DGfsRSPhCYgwHT2kmMc7eNpTnnR9R0VMMZ_bBGHLlyiNZ3UxZE6RMjn4C04_yO9kVBWJfBj6oxg2-Hjs6s1BcrDbJIkWXhnJVKtJatO85aghmMQW1frbz_yBBNN_5HGLD2qWjTa8WhMkfpghVbQ"></script> <script src="https://webtools.europa.eu/load.js" defer></script> <script src="/sites/default/files/js/js_fyAWnf14Pu8o-ylCl14AU8241iQASci_Cuz5-1xoprA.js?scope=footer&amp;delta=2&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxVjeEKg0AMg1_IzUcqtXZ60Gul7el8-x1DGfsRSPhCYgwHT2kmMc7eNpTnnR9R0VMMZ_bBGHLlyiNZ3UxZE6RMjn4C04_yO9kVBWJfBj6oxg2-Hjs6s1BcrDbJIkWXhnJVKtJatO85aghmMQW1frbz_yBBNN_5HGLD2qWjTa8WhMkfpghVbQ"></script> <script src="https://ec.europa.eu/wel/surveys/wr_survey01/wr_survey.js" defer></script> <script src="/sites/default/files/js/js_qikC1k8zI4HV8EF6GLFir29mS7XyapHyr32zCIQIkzc.js?scope=footer&amp;delta=4&amp;language=en&amp;theme=ewcms_theme&amp;include=eJxVjeEKg0AMg1_IzUcqtXZ60Gul7el8-x1DGfsRSPhCYgwHT2kmMc7eNpTnnR9R0VMMZ_bBGHLlyiNZ3UxZE6RMjn4C04_yO9kVBWJfBj6oxg2-Hjs6s1BcrDbJIkWXhnJVKtJatO85aghmMQW1frbz_yBBNN_5HGLD2qWjTa8WhMkfpghVbQ"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10