The National Center for Missing & Exploited Children (NCMEC) is a leading organization dedicated to protecting children against exploitation and abuse. Under U.S. federal law, electronic service providers are required to report any detected CSAM to NCMEC via its CyberTipline. The CyberTipline serves as a centralized system for receiving and processing such reports, which are then shared with law enforcement and relevant service providers for further action.

This feature streamlines the process of submitting CSAM reports to NCMEC, ensuring compliance with federal regulations while simplifying workflows for customers and their moderation teams.

🚧

Before You Start

To use this feature, you must have valid NCMEC credentials. These credentials include a username and password, which are provided directly by NCMEC. If you do not already have these credentials, please contact NCMEC to request access before proceeding. Without these credentials, you will not be able to configure or utilize the reporting functionality.

Configuration

This section explains how to configure the platform for CSAM reporting and enable the necessary settings.

Enable the CSAM Review Feed

• On the Settings page, you can enable the NCMEC Review Feed. This will display only CSAM in the Review Feed for images flagged by Thorn. CSAM images will automatically be sent to the Review Feed for Review.
• This feed is essential for moderators to review potential CSAM content and take both enforcement actions along with reporting to NCMEC

❗️

Displaying CSAM Content

The Dashboard will never display CSAM content in the Review Feed. Instead, each task will surface a link that the moderator can click on. Once clicked, the media will open in a new browser tab for the moderator to review.

Input NCMEC Credentials

• Navigate to the Settings page. Under the Thorn tab, enter your NCMEC-provided username and password in the designated fields.
• Save your credentials to enable secure communication with NCMEC’s CyberTipline.

Input NCMEC Report Callback URL

• ln the Thorn tab, under the NCMEC Reporting section, you can provide a NCMEC Report Callback URL.
• This feature provides customers with confirmation that the image they submitted was flagged and reported to NCMEC, as well as a receipt containing information they can use to identify and remove the violative post.

• When you send a post flagged with thorn_enabled: true , you can navigate to the CSAM tab under Review Feeds and click the Start Feed button.
• If the post gets flagged, you'll have the option to report it to NCMEC. After you submit a report to NCMEC, a request will be sent to your callback URL in the following format:

{
  "report_id": "...",
  "post_id": "...",
  "user_id": "...",
  "image_url": "...",
  "moderator_email": "..."
}

• If a callback is successful, it will be logged in your Moderation History under the Event Name "NCMEC Callback Succeeded."

Input Reporting Person Details

• In the Thorn tab, provide the following details for reports submitted to NCMEC:
  • First Name, Last Name, Email Address
• These details will be attached to all reports. If left blank, the system will default to using the name and email of the moderator submitting the report.

Map Metadata to NCMEC Fields

On the Thorn/NCMEC tab on the settings page, you can map your metadata to specific NCMEC fields.

Support for fileViewedByEsp Field

The fileViewedByEsp field within NCMEC reports' fileDetails is set to false by default. You can check this setting to set this to true. Moderators have the option to uncheck this field before submitting the report in the Review Feed.

Report to NCMEC in the CSAM Review Feed

Moderators can report potential CSAM directly from the CSAM Review Feed using the built-in native action. Please note, this action is only supported in the CSAM Review Feed.

• Once you identify flagged content that meets the NCMEC reporting criteria, you can select the "Report to NCMEC" native action from the list of all actions.
• Once all tasks are confirmed, you can click "Submit" to send all reports to NCMEC.
• A confirmation message will appear on the bottom left once the reports have been successfully submitted.

The "Report to NCMEC" action is treated like all other actions on the Moderation Dashboard and hence a Moderation Log event will be created for each report. You can access these logs on the Mod History page.

NCMEC Enrichment URL

Reporters may have additional information about a reported user that they do not want to enter directly into Moderation Dashboard. The NCMEC Enrichment URL allows you to host that data on your own systems and have the platform fetch it automatically at report time, so it can be included in the final NCMEC report.

This feature lets you keep sensitive user information within your own infrastructure while still enriching the personOrUserReported, ipCaptureEvent, and associatedAccount sections of the NCMEC XML report (CyberTipline Report).

Configuration

Configure the NCMEC Enrichment URL

In Settings, under the NCMEC tab, you can configure an endpoint that Moderation Dashboard will call when a moderator submits a NCMEC report:

The NCMEC Enrichment URL receives a POST request with identifiers for the reported user and post, and returns enrichment data to be added to the NCMEC report.

The URL should point to an API endpoint you control, that can:

• Accept an HTTP POST request with a JSON body.
• Return a JSON response matching the schema described below.

Require Enrichment for All Reports

You can toggle the NCMEC Enrichment Required checkbox to make enrichment mandatory for an application.

If this box is checked and the reporter does not provide an enrichment URL, the NCMEC report will be blocked and returned to the Review Feed with the error: This application settings require a NCMEC enrichment url to be set to submit reports

• If this box is checked and the enrichment call fails (after 3 retries), the NCMEC report will also be blocked (details below).
• If this box is not checked and the enrichment call fails, the report proceeds without enrichment data.

How the Enrichment Callback Works

When a moderator submits a CSAM report to NCMEC from the CSAM Review Feed, Moderation Dashboard will:

1. Look up the configured NCMEC Enrichment URL for the application.
2. Send a POST request to that URL with the following payload:

{
  "user_id": "string",   // offending user
  "post_id": "string",
  "reporter_id": "string"
}

• user_id: Identifier of the reported (offending) user.
• post_id: Identifier of the post being reported.
• reporter_id: Identifier of the moderator or reporter initiating the NCMEC report.

Retry and Error Handling

• For non-400 HTTP status codes (e.g., 500, 502, 503), the platform will retry the enrichment request up to 3 times.
• If the platform fails to get a successful response and NCMEC Enrichment Required is checked, it will return a 400 with: The NCMEC Enrichment call failed. ${message}
  • ${message} may contain additional error context when available (e.g. a timeout or upstream error description).
• If NCMEC Enrichment Required is not checked and the enrichment call cannot be completed successfully, the report is sent without enrichment data.

Enrichment Response Schema

Your endpoint must return a JSON body that matches the following TypeScript interfaces:

export interface EnrichmentResponse {
  user_enrichment_data?: UserEnrichmentResponse;
}

export interface UserEnrichmentResponse {
  personOrUserReportedPerson?: PersonOrUserReportedPerson[];
  ipCaptureEvent?: IpCaptureEvent[];
  associatedAccount?: AssociatedAccount[];
}

Reported Person Enrichment (personOrUserReportedPerson)

Only the first entry in the personOrUserReportedPerson array is used today. These fields populate the <personOrUserReportedPerson> element in the NCMEC XML, which is part of the Reported Person details section as defined in NCMEC’s documentation (CyberTipline Report).

export interface PersonOrUserReportedPerson {
  espIdentifier: string; // Required
  firstName?: string;
  lastName?: string;
  dateOfBirth?: string; // Format: YYYY-MM-DD
  email?: string;
  age?: number;
  phone?: string;
}

Below is an example:

{
  "user_enrichment_data": {
    "personOrUserReportedPerson": [
      {
        "espIdentifier": "internal-user-12345",
        "firstName": "Alex",
        "lastName": "Doe",
        "dateOfBirth": "1995-08-14",
        "email": "[email protected]",
        "phone": "+1-555-0100"
      }
    ]
  }
}

IP Capture Events (ipCaptureEvent)

Each object in the ipCaptureEvent array creates an <ipCaptureEvent> block under the <personOrUserReported> section of the NCMEC XML. These entries conform to NCMEC’s ipCaptureEvent format (CyberTipline Report).

export interface IpCaptureEvent {
  ipAddress?: string;
  eventName?: string;
  dateTime?: string; // ISO 8601 format
}

Below is an example:

{
  "user_enrichment_data": {
    "ipCaptureEvent": [
      {
        "ipAddress": "203.0.113.10",
        "eventName": "login",
        "dateTime": "2025-12-09T21:15:30Z"
      },
      {
        "ipAddress": "203.0.113.20",
        "eventName": "post_created",
        "dateTime": "2025-12-09T21:16:05Z"
      }
    ]
  }
}

Associated Accounts (associatedAccount)

Each object in the associatedAccount array becomes an <associatedAccount> element in the NCMEC XML, following NCMEC’s associatedAccount definition (CyberTipline Report).

export interface AssociatedAccount {
  type?: string;
  platform?: string;
  thirdPartyUser?: string;
  firstName?: string;
  lastName?: string;
  dateOfBirth?: string; // Format: YYYY-MM-DD
  email?: string;
  phone?: string;
  espIdentifier?: string;
  profileUrl?: string;
  screenName?: string;
}

Below is an example:

{
  "user_enrichment_data": {
    "associatedAccount": [
      {
        "type": "social",
        "platform": "ExampleSocial",
        "thirdPartyUser": "1234567890",
        "screenName": "alex_on_example",
        "profileUrl": "https://examplesocial.com/u/alex_on_example",
        "email": "[email protected]",
        "espIdentifier": "example-social-12345"
      }
    ]
  }
}

Putting it Together

A typical enrichment response may combine all of these:

{
  "user_enrichment_data": {
    "personOrUserReportedPerson": [
      {
        "espIdentifier": "internal-user-12345",
        "firstName": "Alex",
        "lastName": "Doe",
        "dateOfBirth": "1995-08-14",
        "email": "[email protected]",
        "phone": "+1-555-0100"
      }
    ],
    "ipCaptureEvent": [
      {
        "ipAddress": "203.0.113.10",
        "eventName": "login",
        "dateTime": "2025-12-09T21:15:30Z"
      }
    ],
    "associatedAccount": [
      {
        "type": "social",
        "platform": "ExampleSocial",
        "thirdPartyUser": "1234567890",
        "screenName": "alex_on_example",
        "profileUrl": "https://examplesocial.com/u/alex_on_example",
        "email": "[email protected]",
        "espIdentifier": "example-social-12345"
      }
    ]
  }
}

When this response is returned successfully:

• The Reported Person section (<personOrUserReported>) of the NCMEC report is enriched with your person’s details.
• One or more IP Capture Events (<ipCaptureEvent>) are added for the reported person.
• One or more Associated Accounts (<associatedAccount>) are added to show linked identities.

NCMEC Escalation

You can escalate a report to NCMEC when the content indicates heightened urgency or immediate risk. To escalate a report:

1. Select the Report to NCMEC action.
2. Click Mark as High Priority.
3. Provide a mandatory escalation reason.
4. Submit the report.

Enabling escalation adds an <escalateToHighPriority> section to the final NCMEC report.

Reference NCMEC’s guidance for this field (CyberTipline Report).

Before selecting Report to NCMEC:

After selecting Report to NCMEC you can escalate the post.