Report an Incident

Report an Incident

Incidents can be reported via e-mail or phone. See our contact page for details including OpenPGP information.

What is an Incident

Any adverse event whereby some aspect of security could be threatened, as described in ITU-T E.409.

Some examples of computer security incidents are:

  • Unauthorized use of a computer system
  • Compromised systems with malware
  • Phishing attempts
  • Website defacement
  • Software vulnerabilities (check our Responsible Vulnerability Disclosure procedure)

If you want to review a website/phishing URL before submitting a notification to us, you can use CIRCL URL Abuse.

Guideline for Incident Reporting

DISCLAIMER: If you consider criminal prosecution by filing a complaint, contact the police at first.

If you believe you encountered or identified an incident, please complete - as detailed as possible - the form available at

or send an - preferably GPG/PGP encrypted - email to

In case of emergency, you reach CIRCL on their direct phone line

  • (+352) 247 88444

All reported information will be treated confidentially.

Recommendations

CIRCL encourages you to implement the following guidelines:

  • CIRCL should be informed as soon as possible once an incident has been detected or suspected
    • The first action to undertake should be contacting CIRCL
    • CIRCL may act as support for advising you on emergency actions that could be performed
  • As far as possible, actions performed on systems/services should aim to preserve evidences
  • Once an incident has been detected, every actions undertaken in relation with this incident should be noted
  • who, what, when, why, expected outcome of the action and actual outcome
  • This implies actions that are dedicated to be performed on systems/services or not

  • The crime scene should neither be altered nor modified (as far as possible)
    • Instead of turning off a system, unplugging the network connection is usually the better choice regarding the possibility of evidence collection
    • Software, applications, files, data or logs should not be installed, re-installed, copied, moved or deleted from the impacted system/services
    • This guideline applies also to systems/services other than those impacted by the incident: in case of incident, other systems/services can be helpful for the collection of (additional) evidences or to understand/identify the root cause of the incident
  • No major changes should be implemented on the impacted systems/services
    • No actions other than those dedicated to contain the incident should be performed
    • The eradication of the root cause of the incident/the recovery from the incident should not be performed without evaluating the impact on the evidence
  • When reporting, please be specific about time and time-zone.
    • Don’t forget to include contact details including phone numbers or PGP keys if available.
  • In the scope of collecting evidences, we advise to have a look at the following technical procedure:

Confidentiality

The primary goal of CIRCL is to help the victims of information security incidents (mainly in Luxembourg), respecting the strict confidentiality of the reported incidents at the same time. CIRCL will not give any details to third-parties without the prior consent of the victims.

In case of legal complaints, CIRCL helps the Luxembourgish law enforcement agencies. A search warrant is one of the techniques used by law enforcement agencies to clear out a current legal investigation.

CIRCL’s role is to respond to information security incidents along with its coordination. CIRCL is on the front line for the sole interest of the information security in Luxembourg.