The U.S. Department of Labor (DOL) is committed to ensuring the security of the American public by protecting their information from unauthorized disclosure. This policy is intended to provide security researchers with clear guidelines for conducting vulnerability discovery activities and convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes:

• What systems and types of research are covered under this policy;
• How to send us vulnerability reports; and
• How long we ask security researchers to wait before publicly disclosing vulnerabilities.

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so that we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.

Guidelines

We request that you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command-line access and/or persistence, or use the exploit to “pivot” to other systems.
• Once you’ve found a vulnerability or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Do not submit a high volume of low-quality reports.
• While it is encouraged to provide contact information, anonymous submissions are also accepted.

Authorization

Finders or researchers that comply with this policy and exercise an appropriate degree of care when performing vulnerability research will be considered authorized. We will work with you to understand and resolve the issue as quickly as possible. We will not recommend or pursue legal action related to your research.

Scope

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

Learn more about Bugcrowd’s VRT.