Skip to main content
Question

Vulnerability Disclosure Procedure

  • July 9, 2026
  • 1 reply
  • 12 views

Hi all, 

I am using Censys Search as part of my research. 

If I happen to discover an undisclosed vulnerability while using Censys, what are the expected disclosure procedures for both identifiable and non-identifiable hosts? For example, how can I disclose vulnerabilities to hosts with only IP:port  metadata and no domain names? For those with domains/contacts, I should reach out to them directly right?

 

Thank you for your support,

1 reply

MattK_Censys
Forum|alt.badge.img+2
  • Censys Community Manager
  • July 10, 2026

We can share some general practices, though disclosure situations vary, so treat this as a starting point. 

The recommended path of action here depends on what you’ve found.

  • If you believe you’ve found a novel (undisclosed) vulnerability in a product: it’s recommended to disclose this to the vendor first (security@, security.txt, or their VDP page). If the vendor is unresponsive, coordinators like CERT/CC or a national CSIRT can help.
  • If these are hosts exposed to a known vulnerability, then it depends on how much metadata you have, as you’ve mentioned:
    • With domains/contacts: you can reach out to security.txt, then security@ or abuse@. Keep it factual and non-alarmist.
    • IP:port only: this can be challenging and attribution here is genuinely difficult. WHOIS/RDAP the IP for the netblock owner’s abuse/security contact; they can relay to their customer. 


It’s worth noting that active vulnerability validation of assets you don’t have permission to test can carry some legal risk depending on jurisdiction.

Good luck with your research!