The Federal Communications Commission (FCC) is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.
If the FCC determines that you made a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve potential issues quickly, and the FCC will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
1 “In the context of [the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 20-01], “good faith” means security research conducted with the intent to follow an agency’s [Vulnerability Disclosure Policy (VDP)] without any malicious motive; [the FCC] may evaluate an individual’s intent on multiple bases, including by their actions, statements, and the results of their actions. In other words, good faith security research means accessing a computer or software solely for purpose of testing or investigating a security flaw or vulnerability and disclosing those findings in alignment with the VDP. The security researcher’s actions should be consistent with an attempt to improve security and to avoid doing harm, either by unwarranted invasions of privacy or causing damage to property.” Additional information on what is meant by good faith can be found at https://cyber.dhs.gov/bod/20-01/#what-does-the-directive-mean-by-good-faith.
Under this policy, “research” means activities in which you:
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
The following test methods are not authorized:
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
Scope Type | Scope Name |
---|---|
web_application | https://www.fcc.gov/* |
web_application | https://consumercomplaints.fcc.gov |
web_application | https://autodiscover.fcc.gov |
web_application | https://fccravpn.fcc.gov |
web_application | https://xmail.fcc.gov |
web_application | https://gbvdi.fcc.gov |
web_application | https://osts.fcc.gov |
web_application | https://ecfsapi.fcc.gov |
web_application | https://apps2.fcc.gov |
web_application | https://apps2demo.fcc.gov |
web_application | https://apps3.fcc.gov |
web_application | *.exploretsp.gov |
web_application | https://auctionapplicationdemo.fcc.gov |
web_application | https://auctionbidding.fcc.gov |
web_application | https://auctionbidding2.fcc.gov |
web_application | https://auctiondata.fcc.gov |
web_application | https://auctionfiling.fcc.gov |
web_application | https://auctionsignon.fcc.gov |
web_application | https://auctionsignon2.fcc.gov |
web_application | https://data.fcc.gov |
web_application | https://dcvdi.fcc.gov |
web_application | https://ecfsapi-prototype.fcc.gov |
web_application | https://enterpriseefiling.fcc.gov |
web_application | https://esupport.fcc.gov |
web_application | https://fccdata.fcc.gov |
web_application | https://fjallfoss.fcc.gov |
web_application | https://opendata.fcc.gov |
web_application | https://p2p-mic-sasentry.fcc.gov |
web_application | https://www3.fcc.gov |
web_application | https://paydemo.fcc.gov |
Firebounty have crawled on 2021-09-21 the program Federal Communications Commission: Vulnerability Disclosure Program on the platform Bugcrowd.
FireBounty © 2015-2024