RTX and our businesses are committed to the safety and security of our products, systems, and customer information. We accept good-faith, responsible reporting of potential security vulnerabilities in any product, system, or asset made by or belonging to RTX or its businesses.
If you believe you have found a security vulnerability in a public facing RTX product, system, or asset, please review the vulnerability reporting guidelines and submit the form below.
Vulnerability reporting guidelines
- This vulnerability disclosure program is not intended for use by individuals and entities affiliated with and/or are business partners of RTX. RTX suppliers and customers should contact their RTX business point of contact to report potential vulnerabilities, while RTX employees and contractors should use their business reporting channels in accordance with RTX policies and procedures.
- Do not engage in activity that could potentially harm or compromise the safety or privacy of any RTX employees, our customers, suppliers, RTX, or any third parties.
- Do not engage in threats or extortion attempts.
- Do not engage in social engineering, including spear phishing.
- Do not access, exfiltrate, transfer, store, destroy, or otherwise compromise any RTX, customer, supplier, or any third-party data.
- Do not take any action that can potentially degrade, halt or render inaccessible our systems, assets, products, or data (e.g., denial of service testing).
- Notify RTX, and halt all activity, if you encounter personal information or proprietary data.
- Use RTX approved disclosure channels to report vulnerability information to us.
- Provide RTX reasonable time to resolve any reported issue, including any necessary review and approval of the resolution by regulators before such information is shared with others. The disclosure restriction noted in this line-item does not apply to any disclosure to the government regulator or any relevant government agency.
Secure communication
To communicate with us in a verifiably secure manner as necessary, please contact us using GPG.
You can encrypt your file using our RTX public GPG key
Our fingerprint to verify our messages:
e4bbe371574301b2eb764796c220079dadd66c1483169ac70e834abbda02c9bd
Report a vulnerability
By clicking Submit on the form below, you acknowledge and agree to the terms of this disclosure process, including with respect to confidentiality, disclosure, and compliance with applicable law. Any personal information you provide in your report or follow-up related to your report is subject to the General Privacy Notice.
Frequently asked questions
Will I receive a response after reporting a vulnerability?
- We will typically acknowledge receipt of your submission within three business days. You may follow up on previous submissions using the submission form.
Will my submission be treated confidentially?
- Personal data RTX receives in connection with a submission will be protected in accordance with RTX’s General Privacy Notice and applicable laws. Subject to the above, you otherwise consent to RTX and its suppliers and customers using the information provided to address any potential vulnerability in any products, systems, or assets made by or belonging to RTX or its businesses. RTX accepts anonymous submissions. In addition, any research findings or analysis provided by the researcher will be treated confidentially by RTX.
Will you recognize me if I report a vulnerability?
- There is no monetary reward or recognition program under this reporting process.
If at any time you have questions, concerns or are uncertain whether your research is consistent with this policy, please contact us through the form above.