Report Security Vulnerabilities

A security vulnerability is a set of conditions in the design, implementation, operation or management of a product or service that is unable to prevent an attack by a party resulting in exploitations such as controlling or disrupting operation, compromising (i.e. deleting, altering or extracting) data or assuming ungranted trust or identity.

Note: If you are concerned about a potential security vulnerability in the IBM website please send email to IBM Abuse.

Customers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact the appropriate Security and/or System Integrity groups and inform IBM PSIRT, as needed. These IBM teams will collaborate as required to address the issue.

Security researchers, industry groups, government organizations and vendors concerned with product security can report potential security vulnerabilities directly to IBM PSIRT. In cases where IBM previously identified alternate security contacts and processes, vulnerability reporters can also continue to use those, as appropriate.

Vulnerability reporters can submit product security vulnerabilities to IBM PSIRT using the form below or by email.

Security Vulnerability Submission Form

Click here to submit a report of a potential product security vulnerability in an IBM offering.

Security Vulnerability Submission by Email

Vulnerability information is extremely sensitive. When using email to report a potential security issue to IBM PSIRT, please encrypt it using our PGP public key (ASC, 2.26KB). Please direct these emails to IBM PSIRT. It is important to include at least the following information in the email:

  • Organization and contact name
  • Organization and contact name
  • Your Reference / Advisory Number
  • Products or solutions and versions affected
  • Description of the potential vulnerability
  • Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
  • Information about known exploits
  • Disclosure plans, if any
  • If you want public recognition