Report a Security or Privacy Concern

Please provide all applicable information in the form, including sufficient details of your specific concern. Categorize your concern as one of the following:

  • ArcGIS Software Vulnerability - report a vulnerability found in ArcGIS Online or an Esri Product.
  • Privacy Issue: ArcGIS Software Product - if you have a privacy concern related to our applications, such as ArcGIS Online or another product Esri provides.
  • Privacy Issue: Esri Corporate - if you have a privacy concern related to our organization, such as marketing materials or the corporate website.
  • Privacy Issue: Unsafe Site or URL - report abuse of the Esri brand. Including misleading domains purported to be linked to Esri, providers of cracked Esri software, or phishing sites targeting Esri customers or employees
  • Other - for all other security, privacy or compliance related concerns.

Your contact details will only be used to follow up on the information you provided.

Esri PSIRT provides a public PGP key for use when communicating with our team. Please make use of this key when providing details of software vulnerabilities to Esri.

Vulnerability Reporting Policy

The Esri Product Security Incident Response Team (PSIRT) acknowledges the valuable role that independent security researchers play in Internet security. We encourage responsible reporting of any vulnerabilities that may be found in our site or application. Esri is committed to working with the security community to verify and respond to any potential vulnerabilities that are reported to us. Esri will not bring a lawsuit or begin law enforcement investigation of you if this policy is followed.

Esri does not permit the following types of security research

  • Causing, or attempting to cause, a Denial of Service (DoS) condition.
  • Use automated security tools without Esri's explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
  • Accessing, or attempting to access, data or information that does not belong to you.
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.

Third Party Component Vulnerabilites

Esri Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a potential security issue in a third party component impacts Esri software, please review Esri's Third Party Component CVE response document located in the Documents tab.

The Product Security Incident Response Team commitment

To all security researchers who follow this Vulnerability Reporting Policy, the Product Security Incident Response Team commits the following:

  • To respond in a timely manner, acknowledging receipt of your report.
  • To provide an estimated time frame for addressing this vulnerability.
  • To notify the reporting individual when the vulnerability has been fixed.

If you are requesting validation of an automated vulnerablity scan for Esri Software, please review our Automated Scanning Guidance and requirements. If you are concerned about a 3rd party component discovered in ArcGIS, please review our 3rd Party Component CVE response app.
(Both require ArcGIS Login.)
If the vulnerability in question is not found in the 3rd party component vulnerability response app, please validate whether the issue is found on US CISA's Known Exploitable Vulnerability (KEV) Catalog.
Scans submitted without meeting these prerequisites will be rejected.