A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

DOE OSTI Vulnerability Disclosure Policy

Purpose
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at the Department of Energy Office of Scientific and Technical Information's (DOE OSTI) web properties, and submitting discovered vulnerabilities to OSTI.

Overview
Maintaining the security of our networks and integrity of our scientific data is a high priority at OSTI. Our information technologies provide critical services to researchers, scientists, and the general public and allow them to conduct research supporting academic and national security missions. Ultimately, our network security ensures that we can accomplish our mission.

The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and OSTI recognizes that fostering a close relationship with the community will help improve our own security. If you have information about a vulnerability in a OSTI website or web application, we want to hear from you!

Information submitted to OSTI under this policy will be used for defensive purposes to mitigate or remediate vulnerabilities in our networks or applications.

This is OSTI's initial effort to create a positive feedback loop between researchers and OSTI – please be patient as we refine and update the process, and please feel free to share any feedback with us throughout the process.

Please review, understand, and agree to the following terms and conditions before conducting any testing of OSTI networks and before submitting a report. Thank you.

Scope
Any public-facing website owned, operated, or controlled by OSTI, including web applications hosted on those sites.

How to Submit a Report
Please provide as much of a detailed summary of the vulnerability as possible, including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate. This summary should be emailed to OSTI's Security Team at security@osti.gov.

By providing your report via email or testing OSTI's web properties, you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to OSTI information systems, and consent to having the contents of the communication and follow-up communications stored on a U.S. Government information system.

Guidelines
OSTI will deal in good faith with researchers who discover, test, and submit vulnerabilities² or indicators of vulnerabilities in accordance with these guidelines:

Your activities are limited exclusively to –
(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
(2) Sharing with, or receiving from, OSTI information about a vulnerability or an indicator related to a vulnerability.
(3) Abiding by the following testing guidelines:
(a)You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
(b)You avoid intentionally accessing the content of any communications, data, or information transiting or stored on OSTI information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
(c)You do not exfiltrate any data under any circumstances.
(d)You do not intentionally compromise the privacy or safety of OSTI personnel (e.g. civilian employees or contractors), or any third parties.
(e)You do not intentionally compromise the intellectual property or other commercial or financial interests of any OSTI personnel or entities, or any third parties.
(f)You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from OSTI.
(g)You do not conduct denial of service testing.
(h)You do not conduct social engineering, including spear phishing, of OSTI personnel or contractors.

If at any point you are uncertain whether to continue testing, please engage with our team before continuing!

What You Can Expect From Us
We take every disclosure seriously and very much appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

OSTI remains committed to coordinating with the researcher as openly and quickly as possible. This includes:

Within three business days, we will acknowledge receipt of your report. OSTI’s security team will investigate the report and may contact you for further information.
To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.
We want researchers to be recognized publicly for their contributions, if that is the researcher’s desire (researchers may choose to remain anonymous). We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of OSTI and researchers are not authorized to publicly disclose vulnerabilities without prior written consent by OSTI.

Information submitted to OSTI under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.

Researchers may choose to submit reports anonymously, but anonymous reporting may limit OSTI's ability to keep you up to date throughout the validation/remediation process. 

Legal
You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

OSTI does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-OSTI entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-OSTI third party may independently determine whether to pursue legal action or remedies related to such activities.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) OSTI will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than OSTI, OSTI will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

OSTI may modify the terms of this policy or terminate the policy at any time.

¹ These websites constitute “information systems” as defined by 6 U.S.C. 1501(9).
² Vulnerabilities throughout this policy may be considered “security vulnerabilities” as defined by 6 U.S.C. 1501(17).
³ These activities, if applied consistent with the terms of this policy, constitute “defensive measures” as defined by 6 U.S.C. 1501(7).

Contact: mailto:security@osti.gov
Expires: 2025-12-31T00:00:00.000Z