Report a vulnerability

CDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.

Please note we do not respond to submissions, and we do not participate in bug bounty programs or provide recognition.

Find out how the Canadian Digital Service protects your privacy

Select the domain that has a vulnerability

Please do not submit a vulnerability for a domain that is not on this list. We do not forward submissions for domains we do not own.

Title

A clear and concise title includes the type of vulnerability and the impacted asset.

Describe the vulnerability, where it was discovered, and the potential impact of exploitation.

Maximum 250 characters

Steps to reproduce the vulnerability

Maximum 1000 characters

Do you know the Common Weakness Enumeration code of the vulnerability? If so, please provide it below

Common Weakness Enumeration Code (CWE)

Estimate the severity of the issue. You can use the Common Vulnerability Scoring System Version 3.1. calculator to determine the severity.

Do you have any additional information to add?

Date modified: 2025-03-06