Welcome to the US-CERT Incident Reporting System

The US-CERT Incident Reporting System provides a secure web-enabled means of reporting computer security incidents to US-CERT. This system assists analysts in providing timely handling of your security incidents as well as the ability to conduct improved analysis. If you would like to report a computer security incident, please complete the following form.

What is an incident?

A good but fairly general definition of an incident is the act of violating an explicit or implied security policy. Unfortunately, this definition relies on the existence of a security policy that, while generally understood, varies among organizations.

For the federal government, an incident, defined by NIST Special Publication 800-61, is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. Federal incident reporting guidelines, including definitions and reporting timeframes can be found at http://www.us-cert.gov/government-users/reporting-requirements.html.

In general, types of activity that are commonly recognized as being in violation of a typical security policy include but are not limited to:

  • attempts (either failed or successful) to gain unauthorized access to a system or its data, including PII related incidents (link to the below description)
  • unwanted disruption or denial of service
  • the unauthorized use of a system for processing or storing data
  • changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

We encourage you to report any activities that you feel meet the criteria for an incident. Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information.

Using the US-CERT Incident Reporting System

In order for us to respond appropriately, please answer the questions as completely and accurately as possible. Questions that must be answered are labeled "Required". As always, we will protect your sensitive information. This web site uses Secure Sockets Layer (SSL) to provide secure communications. Your browser must allow at least 40-bit encryption. This method of communication is much more secure than unencrypted email.

Section: Reporter's Contact Information
First Name (Required)
Last Name (Required)
Email Address (Required)
Telephone number (Required)
Are you reporting as part of an Information Sharing and Analysis Center (ISAC)?
What type of organization is reporting this incident? (Required)
What is the impact to the reporting organization? (Required)
What type of followup action are you requesting at this time? (Required)
Describe the current status or resolution of this incident. (Required)
From what time zone are you making this report? (Required)
What is the approx time the incident started? (local time)
, : :
When was this incident detected? (local time)
, : :
Section: Incident Details
Please provide a short description of the incident and impact (Required)
How many systems are impacted by this incident?
(Leave blank if Unknown)
How many sites are impacted by this incident?
(Leave blank if Unknown)
Was the data involved in this incident encrypted?
Was critical infrastructure impacted by this incident?
What was the primary method used to identify the incident?
If available, please include 5-10 lines of time-stamped logs in plain ASCII text.(e.g.,CSV).