Report a Security or Privacy Concern
Please provide all applicable information in the form, including sufficient details of your specific concern. Categorize your concern as one of the following:
- Vulnerability - report a vulnerability found in our site or application.
- Privacy Issue: Product - if you have a privacy concern related to our applications, such as ArcGIS Online or another product Esri provides.
- Privacy Issue: Corporate - if you have a privacy concern related to other our organization, such as marketing materials or the Esri.com corporate website.
- Other - for all other security, privacy or compliance related concerns.
Your contact details will only be used to follow up on the information you provided.
Vulnerability Reporting Policy
The Esri Product Security Incident Response Team (PSIRT) acknowledges the valuable role that independent security researchers play in Internet security. We encourage responsible reporting of any vulnerabilities that may be found in our site or application. Esri is committed to working with the security community to verify and respond to any potential vulnerabilities that are reported to us. Esri will not bring a lawsuit or begin law enforcement investigation of you if this policy is followed.
Esri does not permit the following types of security research
- Causing, or attempting to cause, a Denial of Service (DoS) condition.
- Use automated security tools without Esri's explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
Third Party Component Vulnerabilites
Esri Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a potential security issue in a third party component impacts Esri software, please review Esri's Third Party Component CVE response document located in the Documents tab.
The Product Security Incident Response Team commitment
To all security researchers who follow this Vulnerability Reporting Policy, the Product Security Incident Response Team commits the following:
- To respond in a timely manner, acknowledging receipt of your report.
- To provide an estimated time frame for addressing this vulnerability.
- To notify the reporting individual when the vulnerability has been fixed.