Cybersecurity is a public good that is strongest when the public is given the ability to contribute. When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and address a wider array of concerns. They can also better protect the information they hold on behalf of the American public.
A key component to receiving cybersecurity help from the public is to establish a formal policy that describes the activities people can undertake to find and report vulnerabilities in a legally authorized manner. Such a policy enables us to remediate vulnerabilities before they can be exploited by an adversary – to immense public benefit -- and enhances the resiliency of our online services by encouraging meaningful collaboration. Such a policy also makes it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect.
We are committed to providing a secure environment to safeguard our mission to drive openness, cultivate public participation, and strengthen our nation’s democracy through public access to high-value Government records. We appreciate your help in facilitating that.
a. NARA is committed to ensuring the security of the American public by protecting their information. This policy gives security researchers guidelines for conducting vulnerability discovery activities and conveys our preferences on how to submit discovered vulnerabilities to us.
b. This policy describes the systems and types of research covered by this policy, how to send NARA vulnerability reports, and how long NARA asks security researchers to wait before publicly disclosing vulnerabilities.
c. We encourage you to contact us to report potential vulnerabilities in our systems.
If you make a good faith effort to comply with this policy during your security research, NARA will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
a. Under this policy, “research” means activities in which you adhere to the following:
b. Once you've established that a vulnerability exists or encounter any sensitive data (including controlled unclassified information (CUI) such as personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify NARA immediately, and not disclose this data to anyone else.
The following test methods are not authorized:
a. This policy applies to the following systems and services:
b. Any service not expressly listed above, such as any connected services, are outside the scope of this policy and are not authorized for testing. Additionally, vulnerabilities found in systems from NARA’s vendors fall outside this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact NARA at security-vdp@nara.gov before starting your research (or at the security contact for the system’s domain name listed in the .gov WHOIS).
c. Though NARA develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted on only the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
a. We will use information you submit under this policy for defensive purposes only – to mitigate or remediate vulnerabilities.
b. We accept vulnerability reports online or via security-vdp@nara.gov. You can submit reports anonymously online. If you share contact information, we will acknowledge receipt of your report within three business days.
c. When you submit a report, we encourage you to:
d. When we receive a report:
Department of Homeland Security (DHS) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (September 2, 2020). BOD 20-01 requires each agency to develop and publish a vulnerability disclosure policy and maintain supporting handling procedures.
Document change history
Version | Date | Description |
---|---|---|
1.0 | March, 2021 | Initial issuance |
1.1 | September, 2022 | Add new domains |
This program crawled on the 2021-04-28 is sorted as cvd.
FireBounty © 2015-2024