Disclose a Vulnerability

To facilitate improved situational awareness among members and security partners, the ST and PT ISACs established the Transit Alert & Information Network (TRAIN), which provides a means for securely reporting information regarding both physical and cyber threats, vulnerabilities, and incidents. Anyone can submit information directly through the ISACs via the form on this page on our website or by email. The ISACs will provide the reports to members, critical infrastructure partners, and national, state, and local security partners in accordance with the handling instructions provided at the time of submission.

Safety and security is paramount in the transportation industry. Companies welcome the ethical and responsible disclosure of vulnerabilities.

We recognize that the researcher community may not always be able to reach the appropriate stakeholder(s) to responsibly disclose a vulnerability.

We can facilitate access to companies and assist you in ethically submitting your findings.

Security Researchers and Coordinated Disclosure Program

Ethical disclosure guidelines are designed to ease the disclosure of potential vulnerabilities in an ethical way and in accordance with the law. They shall not be construed as a permission to infringe any law or to reverse engineer any code or other technology. 

Please allow stakeholder(s) the time to assess and fix vulnerabilities before public disclosure. 

Disclosure of any vulnerability should comply with the following principles: 

  • Do not cause any harm to the stakeholder(s), its customers, suppliers, partners or any other individuals or companies.

  • Do not act so as to compromise the safety of any products, their operation, and/or related services. 

  • Do not infringe any applicable intellectual property rights or trade secrets, laws, or regulations.

  • Do not lock, disclose, destroy or compromise the integrity of the company’s customers and partners’ data.

  • Do not turn a financial transaction into a precondition to the disclosure of potential vulnerability.

  • Do not breach any applicable data privacy laws and regulations. 

  • Do not exploit or compromise the vulnerability(s) or vulnerable systems.

Name(Required)
Type of Incident(Required)
Have you attempted to contact the stakeholder(s)?(Required)
Please provide an overview of the vulnerability(s). Do not share sensitive technical details. *
Who should we share this with? Examples: U.S. Government Agencies, Law Enforcement, and ISAC Members.
Accepted file types: pdf, jpg, docx, png, Max. file size: 20 MB.