Skip to Content
 Close search

Vulnerability disclosure program

External security researchers are encouraged to submit, in confidence, their findings regarding potential security vulnerabilities on the websites listed below.

We value the contributions of the security community and request that you adhere to the terms and conditions outlined on this page by submitting your findings to us.

We will conduct a thorough assessment of any vulnerability report that is submitted.

Compensation is not offered in exchange for reports containing verified or potential vulnerabilities.

If you have any questions regarding the scope of an item or any specifics, please email

In scope

Any product or service wholly owned by the Commission to which you have authorised access. This covers the following domains:


Out of scope

Our vulnerability disclosure program does not cover:

  • Clickjacking
  • Self-exploitation issues (i.e. Self XSS, cookie reuse, self DoS)
  • Missing security headers
  • Disclosure of known public files or directories
  • Lack of Secure or HTTP Only flags on non-sensitive cookies
  • Usage of a known vulnerable library or framework without a valid attack scenario
  • Automated vulnerability scan reports
  • Weak or insecure SSL ciphers or certificates
  • Social engineering or phishing
  • Denial of Service (DoS) or any availability attacks
  • Physical attacks
  • Application or websites controlled by a third party
  • Accessing or attempting to access accounts or data that does not belong to you
  • Attempts to modify or destroy data
  • Exfiltrating any data under any circumstances
  • Any activity that violates any law.

How to report a vulnerability

To report a vulnerability, email

Please include as much information as possible, such as:

  1. Any proof of concept (PoC) or exploit code required to reproduce
  2. Steps to reproduce
  3. Explanation of the vulnerability.

If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.

Next steps

We will:

  • respond to your report within five business days
  • keep you informed of our progress
  • agree upon a date for public disclosure
  • with your consent credit you as the person who discovered the vulnerability.