The Farm Credit System Insurance Corporation (FCSIC) is issuing this Vulnerability Disclosure Policy (VDP or policy) under the Department of Homeland Security Directive 20-01 to give security researchers guidelines for conducting vulnerability discovery activities and for reporting vulnerabilities to us.
We are committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure, and we encourage security researchers to contact us to report potential vulnerabilities in our systems. Pursuant to the Binding Operational Directive (BOD), all good faith reporters will be treated the same way under this policy.
A vulnerability (PDF) is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability disclosure is the act of initially providing vulnerability information to us that you believe we are not aware of. The individual or organization that performs this act is called the reporter or researcher.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
Please send any questions regarding this policy, or recommendations for improving it, to [email protected].
Authorization If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and FCSIC will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Guidelines Under this policy, “research” means activities in which you:
Test Methods The following test methods are not authorized:
Scope This policy applies to the following systems and services:
If you aren’t sure whether a system is in scope, contact us at [email protected] before starting your research (or at the security contact for the system’s domain name listed at .gov WHOIS).
Although we develop and maintain other internet-accessible systems and services, active research and testing may be conducted only on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
You may submit reports anonymously. However, if you do share your contact information, we will be able to send you an acknowledgement receipt. We may also later decide to provide you information on remediation steps we took in response to your report (see “What you can expect from us” below).
FCSIC does not issue payments for vulnerability reports. By submitting a vulnerability report to FCSIC, you acknowledge that you have no expectation of payment and that you expressly waive any future remuneration claims against the U.S. government related to your submission.
By submitting a vulnerability report, you also warrant that the report and any attachments do not violate the intellectual property rights of any third party.
+ A description of where the vulnerability was discovered and the potential impact of its exploitation.
+ A detailed description of the steps needed to reproduce the vulnerability (screenshots are helpful). **Note:** Do not send proof-of-concept code that demonstrates exploitation of the vulnerability, or any executable files.
+ The date and time (indicating the time zone) the vulnerability was discovered.
+ Acknowledgement that the report is voluntarily submitted and no remuneration is expected. We prefer that reports be in English, if possible.
When you choose to share your contact information with us, we commit to coordinating with you openly and within a reasonable timeframe.
+ Within five business days, we will acknowledge that your report has been received unless we determine your report is not pertinent to the scope of this policy (e.g., it is spam, product promotion, or marketing), in which case no acknowledgement will be provided.
+ To the best of our ability, we will provide you with confirmation of whether the vulnerability exists, and we will be as transparent as possible about the steps we are taking during the remediation process, including on issues or challenges that may delay resolution. We pledge to be as transparent as possible about how we treat vulnerability reports but cannot promise to give individual responses in all instances.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency, as well as any affected vendors. We will not share names or contact data of security researchers unless you give us explicit permission.
Page updated: March 02, 2021
This program crawled on the 2021-04-28 is sorted as cvd.
FireBounty © 2015-2024