Vulnerability Disclosure Policy | U.S. Department of Commerce
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

  1. Home

Was this page helpful?

Vulnerability Disclosure Policy

Introduction

The United States (U.S.) Department of Commerce (DOC) manages data critical to creating conditions for U.S. economic growth and opportunity.

The DOC is committed to ensuring the security of the U.S. public by protecting the public’s information from unwarranted disclosure. As such, the DOC has created a Vulnerability Disclosure Policy (VDP) and Vulnerability Disclosure Program, to give security researchers clear guidelines for conducting vulnerability discovery activities on DOC systems and websites and convey the DOC’s preferences in how to submit discovered vulnerabilities to the DOC.

The DOC’s Vulnerability Disclosure Policy describes what systems and types of research are covered under this program, how to submit vulnerability reports, and requirements for public disclosure of submitted vulnerabilities.

Authorization

Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program.

Efforts made in good faith to comply with this policy during all security research will be considered authorized. The DOC will work with the researcher to understand and quickly resolve issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, the DOC will reaffirm this authorization.

Applicability and Scope

This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized DOC publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on the DOC’s publicly available systems/services within the DOC.gov domains.  Specifically, this policy applies to the following DOC websites, information systems, and digital services intended for public use or made internet-accessible:

  • *.dnsops.gov
  • *.nist.gov
  • *.noaa.gov
  • *.uspto.gov
  • *.census.gov
  • *.doc.gov
  • *.commerce.gov
  • *.firstnet.gov
  • *.export.gov
  • *.trade.gov
  • *.2020census.gov
  • *.bea.gov
  • *.aviationweather.gov
  • *.ntis.gov
  • *.weather.gov
  • *.ap.gov
  • *.bldrdoc.gov
  • *.mbda.gov
  • *.drought.gov
  • *.bis.gov
  • *.buyusa.gov
  • *.chips.gov
  • *.climate.gov
  • *.ntia.gov
  • *.manufacturing.gov
  • *.eda.gov
  • *.edison.gov
  • *.fishwatch.gov
  • *.stopfakes.gov
  • *.goes-r.gov
  • *.gps.gov
  • *.heat.gov
  • *.hurricanes.gov
  • *.icams-portal.gov
  • *.iedison.gov
  • *.ofcm.gov
  • *.internet4all.gov
  • *.internetforall.gov
  • *.luca-appeals.gov
  • *.manufacturingusa.com
  • *.marinecadastre.gov
  • *.mfgusa.com
  • *.mgi.gov
  • *.my2020census.gov
  • *.nccoe.org
  • *.nehrp.gov
  • *.time.gov
  • *.tsunami.gov
  • *.nwirp.gov
  • *.papahanaumokuakea.gov
  • *.pscr.gov
  • *.privacyshield.gov
  • *.sdr.gov
  • *.selectusa.gov
  • *.semiconductors.gov
  • *.spaceweather.gov
  • *.spectrum.gov
  • *.standards.gov
  • *.sworm.gov
  • *.tasefiling.gov
  • *.usicecenter.gov
  • *.wwtg.gov
  • *.xd.gov
  • *.cwc.gov

Out-of-Scope Systems and Services: 

  • National Security Systems (NSS). The definition of a National Security System, along with other applicable terms used in the National Security Community, are found in CNSSI 4009, Information Assurance Glossary
  • Information systems, websites, or services owned and operated by vendors or other entities; vulnerabilities found in information systems from our vendors and other entities fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any);
  • Non-public facing or non-internet-accessible websites, information systems, and digital services.
  • The following websites, information systems, and services are excluded from the testing provisions and legal protections afforded to Reporters within this policy. If Reporters are uncertain of whether a website, information system or digital service is in-scope of this policy, it is recommended that they reach out to the DOC Vulnerability Disclosure Program at [email protected] or to the security contact for the information system’s domain name listed in the .gov WHOIS before beginning testing:

Though the DOC develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this document. We will increase the scope of this policy over time. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing.

If there is uncertainty regarding the scope, please contact [email protected].

Additionally, vulnerabilities found in systems from non-DOC entities are outside of this policy’s scope and should be reported directly to the non-DOC entity according to their disclosure policy. If there is uncertainty regarding the scope of a system, contact [email protected].

While the DOC Office of the Chief Information Officer (OCIO) is responsible for the development and maintenance for various internet-accessible systems or services, research and testing should only be conducted on the systems and services covered by the scope of this policy. The scope of this policy is subject to change; please contact [email protected] if questions arise regarding systems not currently in scope.

Guidelines

Under this policy, “research” means activities in which you:

  • Notify the DOC as soon as possible after the discovery of any real or potential security issue(s).
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports.

Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information or proprietary information or trade secrets of any party):

  • ALL tests must be stopped.
  • Notify DOC immediately.
  • Do Not disclose this data to anyone.

Reporting a Vulnerability

Information submitted under this policy will be used for defensive purposes only. If discovered findings include new vulnerabilities that affect all users of a product or service and not solely the DOC, the DOC may share your report with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled according to their coordinated vulnerability disclosure process. The DOC will not share your name or contact information without express permission.

The DOC only accepts vulnerability reports through the DOC VDP Reporting Portal. Reports may be submitted anonymously. If the contact information is shared, the DOC will acknowledge receipt of the information within three (3) business days.

When submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and that any future pay claims against the U.S. Government related to the submission have been waived.

When contact information is shared, the DOC commits to coordinating with the security researcher in a transparent and timely manner:

  1. Within three (3) business days, the DOC will acknowledge that the report has been received.
  2. Within (15) business days, the DOC will confirm the existence of the vulnerability and provide further discussion on findings, resolutions and/or issues or challenges that may delay resolution.

Policy

Vulnerability Reports

To report identified vulnerabilities, security researchers must:

  1. Submit vulnerability reports through the DOC VDP Reporting Portal
  2. Describe the location the vulnerability was discovered and the potential impact of exploitation.
  3. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots).
  4. Submit vulnerability reports, anonymously, if desired. If a security researcher provides DOC with an email address, DOC will acknowledge, via email receipt of submitted reports within three (3) business days.
  5. Keep confidential any information about discovered vulnerabilities for up to (90) calendar days after being notified by the DOC.

Coordinated Disclosure

DOC is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.

At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that security researchers refrain from sharing reports with others, or releasing reports to the public, while patching is occurring. If there is a need to inform others of the submitted report before the patch is available, please coordinate with DOC at [email protected] prior to release for assessment.

Use of Vulnerability Reports

Information submitted under this policy shall be used by the DOC for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and determined to be a valid security issue, the DOC will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued.  The details within the Vulnerability Intake form may be submitted to an independent third-party vendor for evaluation and handling

Information Sharing

Information submitted under this policy may be shared for defensive cybersecurity means:

  1. If findings submitted include newly discovered vulnerabilities that affect users of a product or service outside of the DOC, the DOC may share vulnerability reports with DHS CISA, where it will be handled under DHS CISA’s coordinated vulnerability disclosure process. The DOC retains the right to share this information with DHS CISA and other applicable organizations, as needed.
  2. Personal information pertinent to the security researcher will not be disclosed or shared without the researcher’s express written permission.

Testing Methods

The DOC requires that security researchers comply with authorized test methods to access systems within the publicly available DOC.gov domains, and not perform any unauthorized test methods.

Unauthorized Testing Methods

The following test methods are not authorized by the DOC:

  1. Test any systems other than the systems set forth in the ‘Scope’ of this policy.
  2. Physical testing of facilities or resources (e.g., office access, open doors, tailgating).
  3. Social engineering (e.g., phishing, vishing, spam, and other suspicious emails), and any other non-technical vulnerability testing.
  4. Network denial of service (DoS or Distributed DoS) or tests that impair access to or damage availability to a system or data.
  5. Tests that exhaust bandwidth or are resource intensive.
  6. Unidentified malware, viruses, Trojan horses, or worms.
  7. Rainbow tables, password cracking, or brute force testing.
  8. Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on DOC systems, or “pivot” to other DOC systems.
  9. Test third-party applications, websites, or services that integrate with or link to or from DOC systems.
  10. Delete, alter, share, retain, or destroy DOC data, or render DOC data inaccessible.

Questions

Questions or suggestions regarding this policy may be sent to [email protected]