Vulnerability disclosure policy
We’re committed to ensuring the security of the American public by protecting their information. The vulnerability disclosure policy gives security researchers clear guidelines for vulnerability discovery activities. It also conveys how we'd like you to report vulnerabilities to us.
This policy describes:
- Good faith efforts
- Guidelines for applying this policy
- Test methods that aren’t authorized
- Systems and services covered by this policy
- How to send us vulnerability reports
- How long we ask security researchers to wait before publicly disclosing vulnerabilities
We encourage you to report potential vulnerabilities in our systems.
Demonstrate a good faith effort to follow this policy
If you make a good faith effort to follow this policy during your security research:
- We’ll consider your research to be authorized.
- We’ll work with you to understand and resolve the issue quickly.
- We won’t recommend or pursue legal action related to your research.
- We’ll make this authorization known if legal action is initiated by a third party against you for activities that were conducted in accordance with this policy.
Guidelines for applying this policy
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the - exploit to pivot to other systems.
- Provide a reasonable amount of time for us to resolve the issue before you disclose it to the public.
- Avoid submitting a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods that aren’t authorized
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Systems and services covered by this policy
This policy applies to the following systems and services:
- get.gov, manage.get.gov, and all subdomains of get.gov
- get.gov source code on GitHub
- manage.get.gov (.gov registrar) source code on GitHub
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope, email us at [email protected] before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.
How to report a vulnerability
Submit a vulnerability report using this form or via [email protected]. You can submit a report anonymously. If you share contact information, we will acknowledge receipt of your report within three business days.
What to include in your vulnerability report
Help us triage and prioritize submissions. We recommend that your reports:
- Describe where the vulnerability is in the system and the potential impact of exploitation.
- Offer a detailed description of steps necessary to reproduce the vulnerability. Proof of concept scripts or screenshots are helpful.
- Use English, if possible
What you can expect from us
If you share contact information with us, we commit to coordinating with you in an open and timely manner.
- We’ll acknowledge that your report has been received within three business days.
- To the best of our ability, we’ll confirm the existence of the vulnerability to you and be as transparent as possible about what remediation steps we're taking, including on issues that may delay resolution.
- We’ll maintain an open dialogue to discuss issues.
Other .gov systems and services
If you find a security or privacy issue on another .gov service, check our data to see if the domain has a security contact. Most federal (executive branch) agencies also have a vulnerability disclosure policy. If you’re unable to find a contact or receive no response from the security contact, email [email protected].
Questions regarding this policy may be sent to [email protected].