The purpose of the Vulnerability Disclosure Policy (VDP) as defined in the Binding Operational Directive (BOD)[1] 20-01 is to enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. This policy makes it easier for the public to know where to send a report, what types of testing are authorized for which information systems, and what communication to expect. It also allows agencies to integrate vulnerability reporting into existing cybersecurity risk management activities. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies. Additionally, ensuring consistent policies across the Executive Branch offers those who report vulnerabilities equivalent protection and a more uniform experience.
The Commodity Futures Trading Commission (“CFTC” or “Commission”) is committed to maintaining the security of its information systems and protecting information from unauthorized use and disclosure. This policy defines the information systems covered by the policy, the types of security research allowed on CFTC information systems, how to submit CFTC vulnerability findings, and establishes a grace period that Vulnerability Reporters are encouraged to adhere to prior to initiating any public disclosure.
The Commission understands that without assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report discovered vulnerabilities to the agency. The Commission recognizes that a reporter or anyone in possession of vulnerability information can disclose or publish the information at any time, including without prior notice to the agency. However, such uncoordinated disclosure could result in exploitation of the vulnerability before the agency is able to address it, which could have legal penalties for the reporter as well. One objective of this policy is to reduce risk to the Commission’s infrastructure and the public by encouraging coordinated disclosure so there is time to fix the vulnerability before it is widely known.
This policy covers all CFTC public-facing websites, forms, and affected applicable external systems:
CFTC.gov
Whistleblower.gov
This policy outlines specific practices for research testing the security of the CFTC information systems, discovering vulnerabilities, proper research documentation, and a method for informing the CFTC of discovered vulnerability findings.
Under this policy, all of a Vulnerability Reporter’s research that complies with this policy is considered to be authorized. The CFTC will work to understand and resolve the issue quickly, and will not recommend or pursue any legal action related to the Vulnerability Reporter’s research.
Vulnerability Reporters are required to report potential vulnerabilities identified in CFTC information systems prior to publicly disclosing their findings. Vulnerability Reporters should contact the CFTC as early as possible, upon discovery of vulnerabilities, using approved methods defined in this policy. Early contact allows time to reasonably address vulnerabilities and protect CFTC information systems from unintended exploitation or harm. For reports submitted in compliance with this policy, CFTC will acknowledge receipt within five business days. CFTC will have 90 days from the acknowledgement date to confirm and resolve the vulnerability prior to public disclosure.
The CFTC will endeavor to validate properly detailed submissions within a reasonable time frame, implement corrective actions if appropriate, and inform researchers of the nature of reported vulnerabilities.
This policy applies to all CFTC information users, any information gained through research, and CFTC information systems owned or leased by the Commission.
Information is “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.” (See OMB Circular A-130)
Information system is a “means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” (see 44 U.S.C. § 3502)
Personally identifiable information (PII) is “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” (See OMB Circular A-130)
Vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities are typically exploited to weaken the security of a system, its data, or its users, with impact to system confidentiality, integrity, or availability.
Vulnerability disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware”. The individual or organization that performs this act is called the Vulnerability Reporter.
Vulnerability Reporter: The individual or organization that performs the act of disclosing performs the research testing on CFTC information systems and reports the vulnerability.
Vulnerability Reporters may:
Vulnerability Reporters must not:
Report submission method: Reports are accepted via electronic mail at [email protected].
Acceptable message formats: Acceptable message formats are plain text, rich text, and HTML. TLS 1.2 must be used as a secure message transport method.
Report details:
Personally Identifiable Information: Security researchers should make every effort to avoid using exploits that would compromise or exfiltrate PII. If while conducting security research authorized by this policy a security researcher accesses or exfiltrates PII, the vulnerability should be reported to the Commission immediately and the researcher should take reasonable steps to prevent further disclosure of the information. Vulnerability Reporters reporting a vulnerability that implicates PII shall take care not include in their report any PII accessed by the vulnerability.
Reporter’s choice of anonymity or providing contact information: Reports may be submitted anonymously or researchers may choose to provide their contact information, and any preferred methods or times of day to communicate, as they see fit. It is helpful to provide contact information, as the need arises to contact researchers to clarify reported vulnerability information or other technical interchange. Please do not send any additional PII beyond name and contact information when submitting a report.
No monetary compensation or endorsements: CFTC does not maintain a bug bounty program and will not endorse an organization that reports vulnerabilities to the Commission. Reporters will not receive payment for submitting vulnerabilities and, by submitting, reporters waive any claims to compensation.
Intellectual Property and Licensing: By submitting a report to the CFTC, researchers warrant that the report and any attachments do not violate the intellectual property rights of any third party, and the reporter grants the CFTC a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.
The CFTC is committed to timely correction of vulnerabilities. However, the agency recognizes that public disclosure of vulnerability in absence of a readily-available corrective action likely increases versus decreases risk. Accordingly, the reporting entity is encouraged to not share information about discovered vulnerabilities for 90 calendar days after receiving CFTC acknowledgement of the initial report. Some vulnerability remediation may take longer and coordination with the CFTC prior to disclosure is highly recommended. If you believe others should be informed of the vulnerability prior to the implementation of corrective actions, CFTC requires that you coordinate in advance with us.
The CFTC may share vulnerability reports with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. CFTC may reach out to researchers for additional information as requested by vendors. Names or contact data of security researchers or vendor POC’s will not be shared unless the security researcher has given their explicit permission.
This policy will be reviewed annually, or every 2 years following when CISA updates BOD 20-01 to account for changes in the general cybersecurity landscape and incorporate additional best practices to receive, track, and report vulnerabilities identified by researchers.
Questions regarding this policy may be sent to [email protected]. The CFTC encourages security researchers to contact the agency for clarification on any element of this policy. Please contact the CFTC prior to conducting research if there is doubt whether a specific test method is inconsistent with or unaddressed by this policy. Suggestions for improving this policy are encouraged to be sent via [email protected].
[1] A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014 (“FISMA”). Id. § 3553(b)(2). Federal agencies are required to comply with these DHS-developed directives. Id. § 3554(a)(1)(B)(ii). DHS binding operational directives do not apply to statutorily defined “National Security Systems” or to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).
This program crawled on the 2021-04-28 is sorted as bounty.
FireBounty © 2015-2024