Vulnerability reporting guidelines

  • This vulnerability disclosure program is not intended for use by individuals and entities affiliated with and/or are business partners of RTX. RTX suppliers and customers should contact their RTX business point of contact to report potential vulnerabilities, while RTX employees and contractors should use their business reporting channels in accordance with RTX policies and procedures.
  • Do not engage in activity that could potentially harm or compromise the safety or privacy of any RTX employees, our customers, suppliers, RTX, or any third parties.
  • Do not engage in threats or extortion attempts.
  • Do not engage in social engineering, including spear phishing.
  • Do not access, exfiltrate, transfer, store, destroy, or otherwise compromise any RTX, customer, supplier, or any third-party data.
  • Do not take any action that can potentially degrade, halt or render inaccessible our systems, assets, products, or data (e.g., denial of service testing).
  • Notify RTX, and halt all activity, if you encounter personal information or proprietary data.
  • Use RTX approved disclosure channels to report vulnerability information to us.
  • Provide RTX reasonable time to resolve any reported issue, including any necessary review and approval of the resolution by regulators before such information is shared with others. The disclosure restriction noted in this line-item does not apply to any disclosure to the government regulator or any relevant government agency.

Secure communication

To communicate with us in a verifiably secure manner as necessary, please contact us using GPG.

You can encrypt your file using our RTX public GPG key

Our fingerprint to verify our messages:

e4bbe371574301b2eb764796c220079dadd66c1483169ac70e834abbda02c9bd 

Report a vulnerability

By clicking Submit on the form below, you acknowledge and agree to the terms of this disclosure process, including with respect to confidentiality, disclosure, and compliance with applicable law. Any personal information you provide in your report or follow-up related to your report is subject to the General Privacy Notice.

* = Required field

Notify RTX, and halt all activity, if you encounter personal information, proprietary data, or export-controlled technical data (ex. ITAR or EAR-controlled data). These regulations govern the export and transfer of sensitive information, technology, and products with potential military or national security implications. Please provide only a general summary with your submission and our Security team will be in touch using a secure communication channel and instructions for submitting further details.

File types accepted: GPG, ASC (1MB limit). Encrypt your file using our public GPG key.

Frequently asked questions

Will I receive a response after reporting a vulnerability?

  • We will typically acknowledge receipt of your submission within three business days. You may follow up on previous submissions using the submission form.

Will my submission be treated confidentially?

  • Personal data RTX receives in connection with a submission will be protected in accordance with RTX’s General Privacy Notice and applicable laws. Subject to the above, you otherwise consent to RTX and its suppliers and customers using the information provided to address any potential vulnerability in any products, systems, or assets made by or belonging to RTX or its businesses. RTX accepts anonymous submissions. In addition, any research findings or analysis provided by the researcher will be treated confidentially by RTX.

Will you recognize me if I report a vulnerability?

  • There is no monetary reward or recognition program under this reporting process.

If at any time you have questions, concerns or are uncertain whether your research is consistent with this policy, please contact us through the form above.