Vulnerability Disclosure Policy

The NASA Mission is to drive advances in science, technology, aeronautics, and space exploration to enhance knowledge, education, innovation, economic vitality and stewardship of the Earth. A great deal of NASA work leverages information technology to capture, interpret, and appropriately share scientific knowledge in the furtherance of its Missions and Programs. NASA is committed to protecting the confidentiality (where appropriate), integrity, and availability of its information and information systems.

NASA recognizes that external vulnerabilities can be discovered by anyone at any time and has issued this policy in order to provide clear guidelines to security researchers so that they feel comfortable reporting vulnerabilities they have discovered in good faith.

This vulnerability disclosure policy facilitates NASA’s awareness of otherwise unknown vulnerabilities. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery and disclosure activities to help NASA meet its objectives, and to convey how to submit discovered vulnerabilities to NASA.

This policy describes:

• What systems and types of research are covered under this policy,
• General guidelines for demonstrating good faith,
• How to submit vulnerability reports, and
• What to expect following a vulnerability report.