Federal Reserve
As the nation’s central bank, the Federal Reserve has 12 regional Reserve Banks working together with the Federal Reserve’s Board of Governors in Washington, D.C., to support a healthy economy. The Fed ensures our nation’s financial system is safe and sound and provides a secure and efficient way to transfer funds electronically.
Maintaining a strong information security posture is crucial to maintaining the ongoing mission of the Federal Reserve. Working with the security research community strengthens this posture, and this Vulnerability Disclosure Program (VDP) seeks to foster this partnership by simplifying responsible disclosure reporting and feedback channels.
The Federal Reserve will make a best effort to meet the following Service Level Agreements (SLAs) for reported vulnerabilities:
| Type of Response | SLA in business days |
| ------------- | ------------- |
| First Response | 1 days |
| Time to Triage | 2 days |
Resolution time depends on severity and complexity. Progress updates will be provided through the process as appropriate.
The Federal Reserve commits to acknowledging disclosed vulnerabilities promptly and working with the security research community to mitigate or remediate weaknesses.
The Federal Reserve asks participating security researchers to:
Provide the Federal Reserve reasonable time to fix reported issue before disclosing issues to outside parties
Not publicly disclose vulnerabilities or related details without explicit written authorization from the Federal Reserve
Not include sensitive or identifying data in any public disclosures
Adhere to the HackerOne disclosure guidelines
Additional policy details may be found in the root-level /.well-known/security.txt file on some Federal Reserve domains.
Avoid mass scanning Federal Reserve domains. Offending IP addresses may be blocked.
Please provide detailed reports of the process you used and vulnerabilities identified with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, the Federal Reserve only triages the first report that was received (provided it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Do not engage in social engineering (e.g., phishing, vishing, smishing).
Avoid violating individual privacy rights, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Do not exploit beyond what is necessary to demonstrate vulnerability presence.
Avoid accessing content of communications, data, or information on Federal Reserve information systems except to the extent that information directly relates to the vulnerability and is necessary to prove the vulnerability exists.
Do not store or share non-public data obtained through testing except to the extent necessary to communicate the finding to the Federal Reserve.
Do not submit a high-volume of low-quality reports.
If you are uncertain whether to continue testing, please engage with our team at federal-reserve-program@hackerone.com.
Any publicly-accessible system owned, operated, or controlled by the Federal Reserve System or Federal Reserve Banks, including any Federal Reserve owned web applications or services hosted on those systems.
Federal Reserve Bank sites use non-government top-level domains such as .com, .org, .net, etc.
Federal Reserve Bank domains include, but are not limited to:
federalreserveonline.org, etc.
atlantafed.org, etc.
bostonfed.org, etc.
chicagofed.org, etc.
clevelandfed.org, etc.
dallasfed.org, etc.
kansascityfed.org, etc.
minneapolisfed.org, etc.
newyorkfed.org, etc.
philadelphiafed.org, etc.
richmondfed.org, etc.
sanfranciscofed.org, etc.
stlouisfed.org, etc.
This VDP applies to the private sector Federal Reserve Banks (generally .com and .org sites) and not the public sector Federal Reserve Board of Governors (.gov sites).
The following are beyond the scope of this VDP:
*.gov
This includes any United States government system, application, or service such as those pertaining to the Federal Reserve Board of Governors or the United States Department of the Treasury
People, including Federal Reserve employees, contractors, and vendors
Physical assets, including Federal Reserve property, facilities, and physical security controls
Federal Reserve Board of Governors
Activities are limited exclusively to:
Testing to detect a vulnerability or identify an indicator related to a vulnerability
Sharing or receiving Federal Reserve information about a vulnerability or an indicator related to a vulnerability
All testing activities should abide by relevant laws
Sometimes abnormal traffic can be considered malicious. Please provide the following header to allow us to correctly identify your traffic:
VDP-HackerOne-Researcher: username
Also, please append HackerOne/username to the User Agent String
Do not harm the Federal Reserve, its customers, employees, or contractors
Do not intentionally compromise the privacy or safety of Federal Reserve personnel or any third parties
Do not intentionally compromise the intellectual property or other commercial or financial interests of any Federal Reserve personnel or entities, or any third parties
Do not exfiltrate or retain any data or sensitive information under any circumstances
Do not detrimentally compromise/alter, or destroy Federal Reserve or customer data
Do not perform physical testing
Do not perform social engineering, including phishing
Do not perform denial of service testing, including resource exhaustion
Do not hijack or intentionally disrupt legitimate user sessions
Do not degrade the quality of Federal Reserve assets, resources, or information
Do not conduct or initiate fraudulent financial transactions
Do not perform automated scanning
All vulnerabilities are in scope for disclosure excepting those explicitly listed as out-of-scope below.
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring Man in the Middle (MITM) or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration without proof of concept/demonstrating a vulnerability.
Any activity that could lead to the disruption of service (DoS) for the Federal Reserve
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy without demonstrating a vulnerability.
Missing HttpOnly or Secure flags on cookies not related to authentication or sessions
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers (More than 2 stable versions behind the latest released stable version)
Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing (persuading users to submit login details and passwords by impersonating a Federal Reserve website)
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction unless an additional security impact can be demonstrated
We understand the reluctance some researchers have to share information about vulnerabilities they find because of the potential for criminal or civil liability. To encourage responsible research and disclosure of security vulnerabilities, we do not intend to assert claims under the Computer Fraud and Abuse Act or claims of trespass or similar legal theories against researchers who undertake in good faith to test our systems for vulnerabilities and who bring their findings promptly to our attention. You are expected, as always, to comply with all laws applicable to you and not to disrupt or compromise any data beyond what this VDP permits.
We reserve the right in our sole discretion to determine whether your actions are taken in good faith, are consistent with this policy, or are an inadvertent violation. Please contact us before engaging in conduct that you think may be inconsistent with or unaddressed by this policy. Your efforts to proactively contact us before engaging in any action inconsistent with or unaddressed by this policy will be an important factor in our determination.
Thank you for helping keep the Federal Reserve and our users safe!
| Scope Type | Scope Name |
|---|---|
| web_application | federalreserveonline.org |
| web_application | atlantafed.org |
| web_application | bostonfed.org |
| web_application | chicagofed.org |
| web_application | clevelandfed.org |
| web_application | dallasfed.org |
| web_application | kansascityfed.org |
| web_application | minneapolisfed.org |
| web_application | newyorkfed.org |
| web_application | philadelphiafed.org |
| web_application | richmondfed.org |
| web_application | frbsf.org |
| web_application | stlouisfed.org |
| web_application | alfred.stlouisfed.org |
| Scope Type | Scope Name |
|---|---|
| web_application | *.gov |
| web_application | https://www.federalreserve.gov/ |
This program have been found on Hackerone on 2021-03-29.
FireBounty © 2015-2024
