The number of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs is quickly growing. We encourage more engagement between manufacturers and researchers, along the lines of our Position on Disclosure.



– General Motors

–  Fiat Chrysler Automobiles

–  Toyota

–  PTC

–  BMW

–  Bosch

–  Mercedes (  Daimler)

–  Audi

Medical Devices

Public Infrastructure



Panasonic Avionics



–  GE

–  Philips

–  Bosch

Third-Party Vulnerability Coordinators and Other Disclosure Resources

CERT/CC – Part of the a non-profit Software Engineering Institute (SEI).

US-CERT or  ICS-CERT – The US government’s incident handling and vulnerability coordination organizations.

FDA – The US regulator for medical devices has asked researchers to reach out by email with questions or issues

–  Bug Crowd,  HackerOne,  SynAck – Companies that run disclosure programs for other organizations, and may help coordinate with organizations not on their platform.

– Email common addresses, such as security@, psirt@, safety@, productsecurity@, etc.

– See if anyone in your network has contacts at the company, without inadvertently disclosing the issues.

Resources for Companies

– The US Department of Commerce, National Telecommunications and Information Administration (NTIA) partnered with security researchers, industry, and others in creating a  template and guidance document for vulnerability disclosure in safety critical systems.

–  ISO/IEC 29147 Standard for Vulnerability Disclosure (free download)

–  ISO/IEC 30111 Standard for Vulnerability Handling Processes

– If you know of other public coordinated vulnerability disclosure policies or resources, we ask that you let us know. info [at]