Report Software Vulnerability

NICE takes security very seriously, and investigates all reported vulnerabilities.

Please report any suspected security vulnerability in a NICE product or service.

How to Contact Us

Suspected vulnerabilities can be reported:

You can submit a report without supplying valid contact information however it will be impossible for our technicians to contact you if further details are needed and it will be impossible for us to give you credit for your discovery.

Please provide any supporting material (proof-of-concept code, tool output, screenshot, etc.) that would be useful in helping us understand the nature and severity of the vulnerability or the abuse that is happening.

The information you share with us as part of this process is kept confidential and will not be shared with third parties without your permission.

How We Respond

We will respond to you, acknowledging the receipt of the report and outlining the next steps in the process.

Once the report has been submitted, NICE will review it and assign it a tracking number. Our team will then work to validate and rate the reported vulnerability.

NICE will try to score the vulnerability according to the CVSSv3 base metric system. The initial score will be based on the information you provided. The assigned score will be adjusted as further information is collected and more in-depth tests are performed by NICE.

If additional information is required in order to validate or reproduce the issue, NICE will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.

Third party products

If the vulnerability is found to affect a third party product used in the NICE IT infrastructure or software, we will notify the author of the affected software. NICE will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.

Responsible Disclosure

NICE embraces the responsible disclosure model. In order to protect our customers, NICE requests you not to post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

NICE will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.

Please understand that addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

In any case after 90 days from the date when the ticket number is assigned you will be authorized to disclose the vulnerability, without publishing details about NICE customer's production specific configuration.