AT&T Security Vulnerability Reporting

AT&T Notice to Security Researchers

AT&T is committed to responsible and effective processes for interacting with Security Researchers around the world. To that end, we have established the following:

  • Security Researchers should understand that AT&T does not endorse, solicit, or request independent testing of AT&T services and products for security vulnerabilities. Furthermore, all use of our products, services, and externally-accessible sites and applications must be performed in accordance with our Terms and Conditions, as well as with all applicable laws and regulations.
  • If a Security Researcher identifies information believed to be related in some way to an AT&T product, service, or infrastructure component, or that the Security Researcher believes AT&T to be in a responsible position to help mitigate a security vulnerability, then AT&T would welcome receipt of this information so that it may independently investigate and take corrective action when necessary. Confidentiality will be maintained within the AT&T security team.
  • Timing - Addressing a valid reported vulnerability will take time, which will vary based on the sufficiency of the information provided, the severity of the vulnerability and the affected systems. AT&T cannot actively respond to all information posted by Security Researchers; however, we will make a "best effort" to try to ensure that valid information is quickly and responsibly handled.
  • Regarding Disclosure - In order to protect customer privacy, AT&T requests that you not post or share information about a potential and unverified vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we ask that you respect our customers' privacy and do not post or share any customer data without authorization of the customer.
Reporting a Security Vulnerability to AT&T

Contact AT&T by sending email to in the following situations:

  • You have identified a potential security vulnerability with one of our products, services or infrastructure; or you believe AT&T to be in a responsible position to help mitigate a security vulnerability.

Please provide as much of this information as possible as it will help us to better understand the nature and scope of the situation:

  • Contact information for the Finder or other persons with substantial knowledge of the vulnerability
  • Type of issue (buffer overflow, SQL injection, cross-site scripting, for example)
  • Service, Product, Device, API and version that contains the vulnerability
  • Description of the vulnerability
  • How discovered and instructions to reproduce
  • Sample code

AT&T encourages the encryption of sensitive information that is sent to AT&T in email messages. To encrypt your message to our public key, please see our key in the 'Public Key Block' tab.

You should receive an initial acknowledgement of receipt response within 24 hours, and this acknowledgement will include a unique Tracking Number. If for some reason you do not receive a response, please contact us again to ensure we received your original message.

The email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services.

Public Key Block