Report Security Vulnerabilities

A security vulnerability is a set of conditions in the design, implementation, operation or management of a product or service. Vulnerabilities render the product or service unable to prevent an attack by an internal or external party, resulting in exploitations such as controlling or disrupting operation, compromising (such as deleting, altering or extracting) data, or assuming ungranted trust or identity.

Customers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM® offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact the appropriate Security and/or System Integrity groups and inform IBM PSIRT, as needed. These IBM teams will collaborate as required to address the issue.

Third party researchers and other security entities, if you find a potential security vulnerability in IBM assets, products and services, you can report it by visiting, where you’ll find the scope and terms of the program. Please review the FAQs below for additional information.

Q: What is a vulnerability disclosure program?
A: A vulnerability disclosure program (VDP) offers guidance for how an organization would like to be notified about potential security vulnerabilities found by external third parties and how vulnerabilities are disclosed. Often called the “see something, say something" of the Internet, this public-facing program is an industry best practice. The VDP outlines how external third parties can report potential security vulnerabilities to IBM so they can be safely resolved.

Q: Why did IBM enhance its VDP to include HackerOne?
A: IBM is continually enhancing its VDP. HackerOne is a leading vulnerability disclosure program that connects organizations with independent cybersecurity researchers.

Q: HackerOne also acts as a bug bounty platform. Is IBM implementing a bug bounty?
A: IBM will not offer financial rewards at this time, but IBM will continue to evaluate its program on a regular basis.

Q: Will this program be ongoing or is it for a specific timeframe?
A: Protecting IBM assets, products and services is a top priority. We continually review our VDP to determine the ways in which it can be enhanced.