Helpful Not helpful # Vulnerability Disclosure Policy
Introduction
The United States (U.S.) Department of Commerce (DOC) manages data critical to creating conditions for U.S. economic growth and opportunity.
The DOC is committed to ensuring the security of the U.S. public by protecting the public’s information from unwarranted disclosure. As such, the DOC has created a Vulnerability Disclosure Policy (VDP) and Vulnerability Disclosure Program, to give security researchers clear guidelines for conducting vulnerability discovery activities on DOC systems and websites and convey the DOC’s preferences in how to submit discovered vulnerabilities to the DOC.
The DOC’s Vulnerability Disclosure Policy describes what systems and types of research are covered under this program, how to submit vulnerability reports, and requirements for public disclosure of submitted vulnerabilities.
Authorization
Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program.
Efforts made in good faith to comply with this policy during all security research will be considered authorized. The DOC will work with the researcher to understand and quickly resolve issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, the DOC will reaffirm this authorization.
Applicability and Scope
This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized DOC publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on the DOC’s publicly available systems/services within the DOC.gov domains. Specifically, this policy applies to the following DOC websites, information systems, and digital services intended for public use or made internet-accessible:
Out-of-Scope Systems and Services:
Though the DOC develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this document. We will increase the scope of this policy over time. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing.
If there is uncertainty regarding the scope, please contact [email protected].
Additionally, vulnerabilities found in systems from non-DOC entities are outside of this policy’s scope and should be reported directly to the non-DOC entity according to their disclosure policy. If there is uncertainty regarding the scope of a system, contact [email protected].
While the DOC Office of the Chief Information Officer (OCIO) is responsible for the development and maintenance for various internet-accessible systems or services, research and testing should only be conducted on the systems and services covered by the scope of this policy. The scope of this policy is subject to change; please contact [email protected] if questions arise regarding systems not currently in scope.
Guidelines
Under this policy, “research” means activities in which you:
Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information or proprietary information or trade secrets of any party):
Reporting a Vulnerability
Information submitted under this policy will be used for defensive purposes only. If discovered findings include new vulnerabilities that affect all users of a product or service and not solely the DOC, the DOC may share your report with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled according to their coordinated vulnerability disclosure process. The DOC will not share your name or contact information without express permission.
The DOC only accepts vulnerability reports through the DOC VDP Reporting Portal. Reports may be submitted anonymously. If the contact information is shared, the DOC will acknowledge receipt of the information within three (3) business days.
When submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and that any future pay claims against the U.S. Government related to the submission have been waived.
When contact information is shared, the DOC commits to coordinating with the security researcher in a transparent and timely manner:
Policy
Vulnerability Reports
To report identified vulnerabilities, security researchers must:
Coordinated Disclosure
DOC is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.
At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that security researchers refrain from sharing reports with others, or releasing reports to the public, while patching is occurring. If there is a need to inform others of the submitted report before the patch is available, please coordinate with DOC at [email protected] prior to release for assessment.
Use of Vulnerability Reports
Information submitted under this policy shall be used by the DOC for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and determined to be a valid security issue, the DOC will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued. The details within the Vulnerability Intake form may be submitted to an independent third-party vendor for evaluation and handling
Information Sharing
Information submitted under this policy may be shared for defensive cybersecurity means:
Testing Methods
The DOC requires that security researchers comply with authorized test methods to access systems within the publicly available DOC.gov domains, and not perform any unauthorized test methods.
Unauthorized Testing Methods
The following test methods are not authorized by the DOC:
Questions
Questions or suggestions regarding this policy may be sent to [email protected]
This program crawled on the 2021-04-28 is sorted as cvd.
FireBounty © 2015-2024