Report a vulnerability in an SSH.COM product

While we do not have a formalized bug bounty program at this time, we will happily reward people who ethically report vulnerabilities and security bugs in our products.

We would appreciate having reasonable time (up to 90 days) to fix any such vulnerabilities before they become public, but we will not prevent you from publishing legally found vulnerabilities.

Please use the form below. You can also email vulnerabilities@ssh.com

...

Important information!

Please read before proceeding:

  • No support contract is required to submit security vulnerabilities. We welcome reports on security vulnerabilities from non-customers.

  • For existing customers with access to SSH.COM Support, we recommend that you log in and report a vulnerability via the secure support site

  • Please use this form only for reporting security vulnerabilities in SSH.COM products (Universal SSH Key Manager, CryptoAuditor, NQX, PrivX, Tectia)   

  • This is not a general support page and we do not provide product support via this page

  • We do not handle bug reports or provide support for Open Source SSH implementations not maintained by us, even if they are available for download on this site. Please address such reports and inquiries directly to the respective open source maintainers and community forums