Feb 22, 2021
This policy addresses the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (VDP). BOD 20-01 requires each federal agency to publish a VDP. Publication of agency VDPs will make it easier for users to report vulnerabilities they find in the Federal Government’s internet-accessible systems
CIGIE is committed to ensuring the security of the American public by protecting their information. This policy aims to give security researchers clear guidelines for conducting vulnerability discovery activities and convey our requirements in submitting discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before disclosing vulnerabilities.
We encourage you to contact us to report vulnerabilities in our systems.
If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to quickly understand and resolve the issue, and CIGIE will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities conducted according to this policy, we will make this authorization known.
You can conduct your security research activities as long as they do not conflict with the following unauthorized activities:
This policy applies to the following systems and services:
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely CIGIE, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
We accept vulnerability reports via . For anonymous or sensitive information submissions, use our VDP HTTPS web form. By submitting a vulnerability report, you acknowledge that you do not expect a payment, and you expressly waive any future pay claims against the U.S. Government related to your submission.
We require that your reports comply with the following:
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
Any questions regarding this policy may be sent to
Version | Date | Description |
---|---|---|
1.0 | Feb 22, 2021 | First issuance. |
This program crawled on the 2021-04-28 is sorted as cvd.
FireBounty © 2015-2024