Where to report vulnerabilities?
Before reporting a vulnerability to CERT Polska and making it public, submitters should contact the system owner or software vendor directly.
If it is impossible to find the relevant contact information, or if contacting such parties proves difficult, the vulnerability should be reported to the relevant CSIRT according to the applicable area of responsibility, as described below:
The tasks of CSIRT MON include coordinating the handling of reported vulnerabilities in entities subordinate to or supervised by the Minister of National Defence. Vulnerabilities must be reported according to the instructions.
The tasks of CSIRT GOV include coordinating the handling of reported vulnerabilities in units subordinate to or supervised by the Prime Minister, as well as in entities comprising critical infrastructure, central government authorities, the National Bank of Poland, and Bank Gospodarstwa Krajowego. Vulnerabilities must be reported according to the instructions.
If the vulnerability affects other entities, or if submitters are in doubt as to where to submit the notification, they should use the following contact form:
How does CERT Polska/CSIRT NASK handle submissions?
We analyse each vulnerability report we receive. If we require additional information, or if the information provided is incomplete, our analysts will contact the Submitter directly. Where it is necessary to exchange information between the Submitter and the vulnerable system’s owner, CERT Polska can support this process as a trusted party.
We prioritise submissions that involve multiple producers or entities and can have a significant impact on national security.
Once the vulnerability reporting process is completed and the bug has been patched, CERT Polska may publish information about the vulnerability on its website in a manner that makes it impossible to identify the Submitter and the relevant systems. This information will only contain the Submitter's data upon their consent.
Please do not publish information about the vulnerability before the vulnerability handling process has been completed. Submitters who are planning to do so are asked to inform us in advance.
How and when CVE numbers are assigned?
It is possible to obtain a CVE number, where the vulnerability affects a software used on multiple systems. For more information about the CVE programme, visit: https://www.cve.org/About/Overview
For example, a vulnerability in a single municipality's website will not be assigned a CVE number; however, a vulnerability in a content management system used by multiple authorities may receive one. Moreover, CVE numbers are not assigned to vulnerabilities resulting from configuration errors made by the persons implementing the system, rather than the system itself.
The CVE request must be submitted to the appropriate CVE Numbering Authority (CNA), depending on which system is affected by the vulnerability. For a list of CNAs and information on how to submit requests, visit: https://www.cve.org/ReportRequest/ReportRequestForNonCNAs
If the vulnerability is related to a Polish producer, which is not a CNA, or if the submitter finds it difficult to contact the relevant CNA, CERT Polska can support them in the process of assigning a CVE number.