The US Office of Government Ethics (OGE) is committed to ensuring the security of our systems and protecting sensitive information from unlawful disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and todescribe how to submit discovered vulnerabilities to us.
In accordance with Department of Homeland Security (DHS) Binding Operational Directive(BOD) 20-01 and Office of Management and Budget (OMB) Memo M-20-32, this policy describeswhat systems and types of researchare covered under this policy,how to send us vulnerability reports, andhow long we ask reporters to wait before publicly disclosing vulnerabilities.
We encourage researchers to contact us to report potential vulnerabilities in our systems. For reports submitted in compliance with this policy, OGE will acknowledge receipt within three business days.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and OGE will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Under this policy, “research” means activities in which you:
If you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. You are prohibited from disclosing any personally identifiable information discovered to any third party.
The following test methods are not authorized:
Authorizedtests may:
Reporters must:
This policy applies to the following systems:
Any systems or services not explicitly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to its disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@oge.gov before starting your research.
Reports are accepted via electronic mail at security@oge.gov. Acceptable message formats are plain text, rich text, and HTML.
Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names. Reports may include proof-of-concept code that demonstrates exploitation of the vulnerability. We request that any scripts or exploit code be embedded into non-executable file types.
Researchers may submit reports anonymously. If you choose to share contact information, and any preferred methods or times of day to communicate, we may contact reporters to clarify reported vulnerability information or other technical interchange.
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. We will resolve vulnerabilities within 90 days and notify you of the outcome of your report, if you have provided contact information. If you believe others should be informed of the vulnerability before receiving notification of resolution, we require that you coordinate in advance with us. We will maintain an open dialogue to discuss issues.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency(CISA), as well as any affected vendors.
Questions regarding this policy must be sent to security@oge.gov. The OGE encourages security researchers to contact us for clarification on any element of this policy. We also invite security researchers to contact us with suggestions for improving this policy.
This program crawled on the 2021-04-30 is sorted as cvd.
FireBounty © 2015-2024