Vulnerability Disclosure Policy - Policies | NSF

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8" /> <meta name="description" content="Find out how NSF tracks possible vulnerabilities in its systems, and how the public can help support these efforts." /> <link rel="canonical" href="https://www.nsf.gov/policies/digital/vulnerability-disclosure" /> <link rel="icon" href="/themes/custom/nsf_theme/favicons/favicon-32x32.png" /> <link rel="icon" sizes="16x16" href="/themes/custom/nsf_theme/favicons/favicon-16x16.png" /> <link rel="icon" sizes="32x32" href="/themes/custom/nsf_theme/favicons/favicon-32x32.png" /> <link rel="icon" sizes="96x96" href="/themes/custom/nsf_theme/favicons/favicon-96x96.png" /> <link rel="icon" sizes="192x192" href="/themes/custom/nsf_theme/favicons/android-icon-192x192.png" /> <meta property="og:site_name" content="NSF - National Science Foundation" /> <meta property="og:url" content="https://www.nsf.gov/policies/digital/vulnerability-disclosure" /> <meta property="og:title" content="Vulnerability Disclosure Policy" /> <meta property="og:image" content="https://www.nsf.gov/themes/custom/nsf_theme/logo-200x200.png" /> <meta property="og:image:alt" content="" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@NSF" /> <meta name="twitter:title" content="Vulnerability Disclosure Policy" /> <meta name="twitter:image" content="https://www.nsf.gov/themes/custom/nsf_theme/logo-200x200.png" /> <meta name="twitter:image:alt" content="" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0];var j=d.createElement(s);var dl=l!='dataLayer'?'&l='+l:'';j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl+'&gtm_auth=g18KstQIuISFV7R8jqLFKQ&gtm_preview=env-1&gtm_cookies_win=x';j.async=true;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-WSDBJPS');</script> <script>window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};</script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=NSF&dclink=true&ver=true&exts=doc,docx,xls,xlsx,xlsm,ppt,pptx,exe,zip,pdf,js,txt,csv,dxf,wmv,jpg,jpeg,gif,png,wma,mov,avi,mp3,mp4,csv" async defer id="_fed_an_ua_tag"></script> <title>Vulnerability Disclosure Policy - Policies | NSF - National Science Foundation</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_dHwVKmjMcuLKkMnicGNV1-XKAmnKOokm8Zfttn5Xbbo.css?delta=0&language=en&theme=nsf_theme&include=eJxljEEKwzAMBD_kRk8ysq20IrJkLIXi37eEHgq5DcPsYmthqAvwB9s-TSO5VUbJnRpjFtbD4a62eFGn5MuDOhR0Sqe_m0Ob50BJ6nu-EniKla-oJoLDuYjVA6pNSmOyBhYhIA2O9bie_6YoNOMDfeNBUQ" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_V0Aupyu9RtF4UrU7m0f-bv2KYTHmRCizJ5wkt4HQIio.css?delta=1&language=en&theme=nsf_theme&include=eJxljEEKwzAMBD_kRk8ysq20IrJkLIXi37eEHgq5DcPsYmthqAvwB9s-TSO5VUbJnRpjFtbD4a62eFGn5MuDOhR0Sqe_m0Ob50BJ6nu-EniKla-oJoLDuYjVA6pNSmOyBhYhIA2O9bie_6YoNOMDfeNBUQ" /> <script src="https://script.crazyegg.com/pages/scripts/0041/5508.js" async></script> </head> <body class="env-prod path-node page-node-type-layout-builder-page context-policies-digital-vulnerability-disclosure page-node-view"> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WSDBJPS&gtm_auth=g18KstQIuISFV7R8jqLFKQ&gtm_preview=env-1&gtm_cookies_win=x" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <header class="usa-header usa-header--basic usa-header--megamenu" id="header" role="banner"> <a href="#content-wrap" id='js-skiplink-main-content' class="visually-hidden focusable skip-link"> Skip to main content </a> <section class="usa-banner" aria-label="Official website of the United States government"> <div class="usa-accordion"> <div class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img aria-hidden="true" class="usa-banner__header-flag" src="/themes/custom/nsf_theme/plugins/uswds/dist/img/us_flag_small.png" alt="" /> </div> <div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action">Here's how you know</p> </div> <button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here's how you know</span> </button> </div> </div> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/nsf_theme/plugins/uswds/dist/img/icon-dot-gov.svg" alt="" aria-hidden="true"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/nsf_theme/plugins/uswds/dist/img/icon-https.svg" alt="" aria-hidden="true"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS.</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description">Locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <section class="section__header-top"> <div class="region region-header-top"> <div class="alert--full--wrapper usa-alert__bg-warning"> <div class="usa-alert usa-alert--warning alert--full usa-alert--slim " id="block-welcometobeta-unified" data-component-id="nsf_theme:alert"> <div class="alert--full--inner grid-container"> <div class="usa-alert__body message-content"> <div class="usa-alert__text"> <div class="clearfix text-formatted field body"><p><a href="/executive-orders">Learn about NSF's implementation of recent executive orders.</a></p></div> </div> </div> </div> </div> </div> </div> </section> <section class="primary-menu"> <div class="usa-nav-container"> <div class="usa-navbar"> <div class="region region-header"> <div id="block-nsf-theme-branding"> <div class="usa-logo"> <a class="logo logo-img" href="/" title="NSF - National Science Foundation - Home" aria-label="Home"> <div class="logo__wrapper logo--desktop"> <img src="/themes/custom/nsf_theme/components/molecules/logo/logo-desktop.svg" alt="NSF - National Science Foundation - Home" class="logo__image logo__item" /> </div> <div class="logo__wrapper logo--mobile"> <img src="/themes/custom/nsf_theme/components/molecules/logo/logo-mobile.svg" alt="NSF - National Science Foundation - Home" class="logo__image logo__item"/> </div> </a> </div> </div> </div> <div class="usa-navbar__buttons"> <button type="button" class="usa-button usa-navbar__buttons-search"> <span class="usa-sr-only"> Search </span> </button> <button type="button" class="usa-menu-btn usa-navbar__buttons-menu">Menu</button> </div> </div> <div class="usa-overlay"></div> <nav class="usa-nav"> <div class="usa-nav-inner"> <button type="button" class="usa-nav__close"> <img src="/themes/custom/nsf_theme/images/icons/close-base-darkest.svg" alt="Close navigation" /> </button> <div class="region region-primary-menu"> <section> <div id="block-sitesearch" class="block block-block-content block-block-contentd8573fbc-c73e-43c3-9b1c-d9e6f0ce33bb block-sitesearch"> <div class="clearfix text-formatted field body"><form accept-charset="UTF-8" action="https://search.nsf.gov/search" aria-label="Site" class="site-search" id="search1" method="get" name="siteSearchForm" role="search"> <label class="usa-sr-only usa-label" for="QueryText">Search</label> <input class="usa-input" id="QueryText" name="query" placeholder="Search NSF" title="search" type="text"> <input id="affiliate" name="affiliate" type="hidden" value="nsf"> <button class="search-btn" name="search" type="submit"><span class="usa-sr-only">search</span> </button> </form></div> </div> </section> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item find-funding--apply "> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Find Funding & Apply</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-3"> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Where to Start</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item for-all-researchers--educators "> <a href="/funding/getting-started"> <span>For All Researchers & Educators</span> </a> </li> <li class="usa-nav__submenu-item for-early-career-researchers "> <a href="/funding/early-career-researchers"> <span>For Early-career Researchers</span> </a> </li> <li class="usa-nav__submenu-item for-postdoctoral-fellows "> <a href="/funding/postdocs"> <span>For Postdoctoral Fellows</span> </a> </li> <li class="usa-nav__submenu-item for-graduate-students "> <a href="/funding/graduate-students"> <span>For Graduate Students</span> </a> </li> <li class="usa-nav__submenu-item for-undergraduates "> <a href="/funding/undergraduates"> <span>For Undergraduates</span> </a> </li> <li class="usa-nav__submenu-item for-entrepreneurs "> <a href="/funding/entrepreneurs"> <span>For Entrepreneurs</span> </a> </li> <li class="usa-nav__submenu-item for-industry "> <a href="/funding/industry"> <span>For Industry</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Explore Funding</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item search-all-opportunities "> <a href="/funding/opportunities"> <span>Search All Opportunities</span> </a> </li> <li class="usa-nav__submenu-item by-directorate "> <a href="/funding/find-by-directorate"> <span>By Directorate</span> </a> </li> <li class="usa-nav__submenu-item by-upcoming-due-date "> <a href="/funding/opportunities?sort=nsf_funding_upcoming_due_dates_DESC"> <span>By Upcoming Due Date</span> </a> </li> <li class="usa-nav__submenu-item nsf-wide-initiatives "> <a href="/funding/initiatives"> <span>NSF-wide Initiatives</span> </a> </li> <li class="usa-nav__submenu-item search-funded-projects-awards "> <a href="/awardsearch"> <span>Search Funded Projects (Awards)</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">How to Apply</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item preparing-your-proposal "> <a href="/funding/preparing-proposal"> <span>Preparing Your Proposal</span> </a> </li> <li class="usa-nav__submenu-item submitting-your-proposal "> <a href="/funding/submitting-proposal"> <span>Submitting Your Proposal</span> </a> </li> <li class="usa-nav__submenu-item how-we-make-funding-decisions "> <a href="/funding/merit-review"> <span>How We Make Funding Decisions</span> </a> </li> <li class="usa-nav__submenu-item proposal--award-policies--procedures-guide-pappg "> <a href="/policies/pappg"> <span>Proposal & Award Policies & Procedures Guide (PAPPG)</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Additional Resources</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item researchgov "> <a href="https://www.research.gov/"> <span>Research.gov</span> </a> </li> <li class="usa-nav__submenu-item grantsgov "> <a href="https://www.grants.gov/"> <span>Grants.gov</span> </a> </li> <li class="usa-nav__submenu-item baamnsfgov "> <a href="https://baam.nsf.gov/s/"> <span>Baam.nsf.gov</span> </a> </li> <li class="usa-nav__submenu-item our-directorates--offices "> <a href="/about/directorates-offices"> <span>Our Directorates & Offices</span> </a> </li> </ul> </div> </div> </div> </li> <li class="usa-nav__primary-item manage-your-award "> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-2"> <span>Manage Your Award</span> </button> <div id="basic-mega-nav-section-2" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-3"> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Guidance For Awardees</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item getting-started "> <a href="/awards"> <span>Getting Started</span> </a> </li> <li class="usa-nav__submenu-item request-a-change-to-your-award "> <a href="/awards/request-a-change"> <span>Request a Change to Your Award</span> </a> </li> <li class="usa-nav__submenu-item report-your-outcomes "> <a href="/awards/report-your-outcomes"> <span>Report Your Outcomes</span> </a> </li> <li class="usa-nav__submenu-item proposal--award-policies--procedures-guide-pappg "> <a href="/policies/pappg"> <span>Proposal & Award Policies & Procedures Guide (PAPPG)</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Additional Resources</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item who-to-contact-about-your-award "> <a href="/awards/who-to-contact"> <span>Who to Contact About Your Award</span> </a> </li> <li class="usa-nav__submenu-item researchgov "> <a href="https://www.research.gov/"> <span>Research.gov</span> </a> </li> <li class="usa-nav__submenu-item nsf-public-access-repository-par "> <a href="https://par.nsf.gov/"> <span>NSF Public Access Repository (PAR)</span> </a> </li> <li class="usa-nav__submenu-item our-directorates--offices "> <a href="/about/directorates-offices"> <span>Our Directorates & Offices</span> </a> </li> <li class="usa-nav__submenu-item search-funded-projects-awards "> <a href="/awardsearch"> <span>Search Funded Projects (Awards)</span> </a> </li> </ul> </div> </div> </div> </li> <li class="usa-nav__primary-item focus-areas "> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Focus Areas</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-3"> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Areas We Fund</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item arctic--antarctic "> <a href="/focus-areas/arctic-antarctic"> <span>Arctic & Antarctic</span> </a> </li> <li class="usa-nav__submenu-item astronomy--space "> <a href="/focus-areas/astronomy-space"> <span>Astronomy & Space</span> </a> </li> <li class="usa-nav__submenu-item biology "> <a href="/focus-areas/biology"> <span>Biology</span> </a> </li> <li class="usa-nav__submenu-item broadening-participation-in-stem "> <a href="/focus-areas/broadening-participation-stem"> <span>Broadening Participation in STEM</span> </a> </li> <li class="usa-nav__submenu-item chemistry "> <a href="/focus-areas/chemistry"> <span>Chemistry</span> </a> </li> <li class="usa-nav__submenu-item computing "> <a href="/focus-areas/computing"> <span>Computing</span> </a> </li> <li class="usa-nav__submenu-item earth--environment "> <a href="/focus-areas/earth-environment"> <span>Earth & Environment</span> </a> </li> <li class="usa-nav__submenu-item education--training "> <a href="/focus-areas/education"> <span>Education & Training</span> </a> </li> <li class="usa-nav__submenu-item engineering "> <a href="/focus-areas/engineering"> <span>Engineering</span> </a> </li> <li class="usa-nav__submenu-item facilities--infrastructure "> <a href="/focus-areas/infrastructure"> <span>Facilities & Infrastructure</span> </a> </li> <li class="usa-nav__submenu-item materials-research "> <a href="/focus-areas/materials"> <span>Materials Research</span> </a> </li> <li class="usa-nav__submenu-item mathematics "> <a href="/focus-areas/mathematics"> <span>Mathematics</span> </a> </li> <li class="usa-nav__submenu-item people--society "> <a href="/focus-areas/people-society"> <span>People & Society</span> </a> </li> <li class="usa-nav__submenu-item physics- "> <a href="/focus-areas/physics"> <span>Physics </span> </a> </li> <li class="usa-nav__submenu-item research-partnerships "> <a href="/focus-areas/research-partnerships"> <span>Research Partnerships</span> </a> </li> <li class="usa-nav__submenu-item technology "> <a href="/focus-areas/technology"> <span>Technology</span> </a> </li> <li class="usa-nav__submenu-item explore-all-focus-areas "> <a href="/focus-areas"> <span>Explore all Focus Areas</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Additional Resources</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item explore-our-impacts "> <a href="/impacts"> <span>Explore Our Impacts</span> </a> </li> <li class="usa-nav__submenu-item search-funded-projects-awards "> <a href="/awardsearch"> <span>Search Funded Projects (Awards)</span> </a> </li> <li class="usa-nav__submenu-item nsf-by-the-numbers "> <a href="/about/about-nsf-by-the-numbers"> <span>NSF by the Numbers</span> </a> </li> <li class="usa-nav__submenu-item our-directorates--offices "> <a href="/about/directorates-offices"> <span>Our Directorates & Offices</span> </a> </li> </ul> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events "> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News & Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-3"> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">News</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item news--announcements "> <a href="/news"> <span>News & Announcements</span> </a> </li> <li class="usa-nav__submenu-item science-matters-blog "> <a href="/science-matters"> <span>Science Matters Blog</span> </a> </li> <li class="usa-nav__submenu-item for-the-press "> <a href="/news/media-toolkits"> <span>For the Press</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Events</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item upcoming-events "> <a href="/events"> <span>Upcoming Events</span> </a> </li> <li class="usa-nav__submenu-item nsf-75th-anniversary "> <a href="/75years"> <span>NSF 75th Anniversary</span> </a> </li> <li class="usa-nav__submenu-item nsf-grants-conference "> <a href="/bfa/dias/policy/outreach.jsp#regional"> <span>NSF Grants Conference</span> </a> </li> </ul> </div> </div> </div> </li> <li class="usa-nav__primary-item about "> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>About</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-3"> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Learn About NSF</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item overview "> <a href="/about"> <span>Overview</span> </a> </li> <li class="usa-nav__submenu-item our-directorates--offices "> <a href="/about/directorates-offices"> <span>Our Directorates & Offices</span> </a> </li> <li class="usa-nav__submenu-item nsf--congress "> <a href="/about/congress"> <span>NSF & Congress</span> </a> </li> <li class="usa-nav__submenu-item honorary-awards "> <a href="/od/honorary-awards"> <span>Honorary Awards</span> </a> </li> <li class="usa-nav__submenu-item visit-nsf "> <a href="/about/visit"> <span>Visit NSF</span> </a> </li> <li class="usa-nav__submenu-item contact-us "> <a href="/about/contact-us"> <span>Contact Us</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Work With NSF</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item careers-at-nsf "> <a href="/careers"> <span>Careers at NSF</span> </a> </li> <li class="usa-nav__submenu-item contracting-with-nsf "> <a href="/about/contracting"> <span>Contracting With NSF</span> </a> </li> <li class="usa-nav__submenu-item partnering-with-nsf "> <a href="/about/partner-with-NSF"> <span>Partnering With NSF</span> </a> </li> </ul> </div> <div class="usa-col "> <div class="usa-nav__submenu-item "> <span class="usa-nav__submenu-item-dupe-parent">Additional Resources</span> </div> <ul class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item national-science-board "> <a href="/nsb"> <span>National Science Board</span> </a> </li> <li class="usa-nav__submenu-item national-center-for-science--engineering-statistics-ncses "> <a href="https://ncses.nsf.gov/"> <span>National Center for Science & Engineering Statistics (NCSES)</span> </a> </li> <li class="usa-nav__submenu-item documents--reports "> <a href="/documents-reports"> <span>Documents & Reports</span> </a> </li> <li class="usa-nav__submenu-item budget-performance--financial-reporting "> <a href="/about/budget"> <span>Budget, Performance & Financial Reporting</span> </a> </li> </ul> </div> </div> </div> </li> </ul> </div> </div> </nav> </div> </section> </header> <div id="content-wrap"> <section class="usa-section uswds-middle-section"> <div class="grid-container"> <div class="grid-row grid-gap-lg"> <div class="mobile-lg:grid-col-fill"> <div class="region region-breadcrumb"> <div id="block-nsf-theme-breadcrumbs" class="block block-system block-system-breadcrumb-block block-nsf-theme-breadcrumbs"> <nav aria-label="Breadcrumb" id="system-breadcrumb" class="breadcrumbs"> <ol class="breadcrumbs__list"> <li class="breadcrumbs__item"> <a href="/" class="breadcrumbs__item--url">Home</a> </li> <li class="breadcrumbs__item"> <a href="/policies" class="breadcrumbs__item--url">Policies</a> </li> <li class="breadcrumbs__item"> <a href="/policies/digital" class="breadcrumbs__item--url">Web Policies</a> </li> <li class="breadcrumbs__item"> <span class="breadcrumbs__item--current" aria-current="page">Vulnerability Disclosure Policy</span> </li> </ol> </nav> </div> </div> </div> </div> </div> </section> <main class="uswds-main-content-wrapper grid-container not-search-page three-col-layout"> <div class="grid-row"> <h1 class="page-title--top"> <span class="field field--name-title field--type-string field--label-hidden">Vulnerability Disclosure Policy</span> </h1> </div> <div class="grid-row grid-gap-6"> <aside class="region region-sidebar-first sidebar tablet:grid-col-4 "> <a href="#content-article-wrap" class="visually-hidden focusable skip-link"> Skip to content body </a> <div class="region--sidebar-first"> <div id="nsf-orggroupmenus" class="block block-nsf-custom block-nsf-orggroupmenus layout--sidebar-menu sidenav block-nsforggroupmenus"> <h2 class='sidenav__title'><a href="/policies" class="sidenav__title-link">Policies</a></h2> <nav aria-label='Side navigation' class='usa-accordion'> <ul class=sidenav__list> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="https://www.nsf.gov/policies/access.jsp">Accessibility</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/brand" data-drupal-link-system-path="node/105977">Brand Standards</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/conflict-of-interest" data-drupal-link-system-path="node/111114">Conflicts of Interest</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/cui" data-drupal-link-system-path="node/96009">Controlled Unclassified Information</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/foia" data-drupal-link-system-path="node/109321">Freedom of Information Act and Privacy Act</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/information-quality" data-drupal-link-system-path="node/109374">Information Quality</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/plain-language" data-drupal-link-system-path="node/113125">Plain Language</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/privacy" data-drupal-link-system-path="node/111124">Privacy</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/pappg" data-drupal-link-system-path="node/85833">Proposal and Award Policies and Procedures Guide</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/research-security" data-drupal-link-system-path="node/5664">Research Security</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/responsible-research-conduct" data-drupal-link-system-path="node/105996">Responsible and Ethical Conduct of Research</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/scientific-integrity" data-drupal-link-system-path="node/96952">Scientific Integrity</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/digital/social-media" data-drupal-link-system-path="node/112580">Social Media</a></span> </li> <li class="menu-item menu-item--active-trail menu-level-0"> <span class="menu-item--no-children"><a href="/policies/digital/vulnerability-disclosure" class="is-active" data-drupal-link-system-path="node/113004">Vulnerability Disclosure</a></span> </li> <li class="menu-item menu-level-0"> <span class="menu-item--no-children"><a href="/policies/digital" data-drupal-link-system-path="node/113012">Web</a></span> </li> </ul> </nav> </div> </div> </aside> <div class="region-content constrained-width-container tablet:grid-col-8"> <div id="content-article-wrap"> <div class="region region-content"> <div data-drupal-messages-fallback class="hidden"></div> <div id="block-nsf-theme-content" class="block block-system block-system-main-block block-nsf-theme-content"> <article class="node node--type-layout-builder-page node--promoted node--view-mode-full"> <div class="node__content"> <article class="node text__container node--type-layout-builder-page node--promoted node--view-mode-pre-layout-fields"> <div class="node_view"></div> </article> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <div class="body-1"><p>The U.S. National Science Foundation is committed to ensuring the security of the American public by protecting their information. The agency welcomes independent researchers to assess its potential vulnerabilities.</p></div> </section> </div> <div class="block block-nsf-custom block-table-of-contents-block"> <div class="table-of-contents"> <h2 class="table-of-contents__title"> <img class="icon-document" src="/themes/custom/nsf_theme/images/icons/document.svg" alt="" /> On this page </h2> <nav aria-label="Table of Contents" class="table-of-contents__items"> <ul> <li> <a href="#introduction-092" > Introduction</a> </li> <li> <a href="#vulnerability-research-authorization-ce6" > Vulnerability research authorization</a> </li> <li> <a href="#principles-5c1" > Principles</a> </li> <li> <a href="#test-methods-cae" > Test methods</a> </li> <li> <a href="#scope-32b" > Scope</a> </li> <li> <a href="#reporting-a-vulnerability-901" > Reporting a vulnerability</a> </li> <li> <a href="#questions-ff1" > Questions</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="introduction-092" class="text__title">Introduction</h2> <div class="text__content text-formatted"><p>NSF is an independent federal agency whose mission is "to promote the progress of science; to advance the national health, prosperity, and welfare; to secure the national defense." NSF funds approximately 25% of all federally supported basic research conducted by America's colleges and universities. Protecting information is integral to the NSF mission.</p><p>NSF encourages the public to report potential vulnerabilities they identify in the agency's systems. NSF's Vulnerability Disclosure Policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities about NSF. The policy describes:</p><ul><li>What systems and types of research are covered under the policy.</li><li>How to send vulnerability reports to NSF.</li><li>How long security researchers are asked to wait before publicly disclosing vulnerabilities.</li></ul><h3>How NSF will use information in vulnerability reports</h3><p>Information submitted under NSF's Vulnerability Disclosure Policy will be used for defensive purposes only to mitigate or remediate vulnerabilities.</p><p>If a researcher's findings include newly discovered vulnerabilities that affect all users of a product or service and not solely NSF, NSF may share the researcher's report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under CISA's <a href="https://www.cisa.gov/coordinated-vulnerability-disclosure-process">coordinated vulnerability disclosure process</a>. The researcher's name or contact information will not be shared without express permission.</p></div> </section> </div> </div> </div> </div> </div> <div class="palette palette--light-gray layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="vulnerability-research-authorization-ce6" class="text__title">Vulnerability research authorization</h2> <div class="text__content text-formatted"><p>If a researcher makes a good faith effort to comply with NSF's Vulnerability Disclosure Policy during his or her security research, NSF will consider the research to be authorized and NSF will work with the researcher to understand and resolve the issue quickly. NSF will not recommend or pursue legal action related to the research. Should legal action be initiated by a third party against the researcher for activities that were conducted in accordance with NSF's Vulnerability Disclosure Policy, NSF will make this authorization known.</p></div> </section> </div> </div> </div> </div> </div> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="principles-5c1" class="text__title">Principles</h2> <div class="text__content text-formatted"><p>Under this policy, a researcher is expected to:</p><ul><li>Ensure test methods do not include unauthorized activities described below.</li><li>Notify NSF as soon as possible after a real or potential security issue is discovered.</li><li>Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.</li><li>Only use exploits to the extent necessary to confirm a vulnerability's presence. Will not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.</li><li>Allow NSF 90 business days to resolve the issue before disclosing the vulnerability publicly.</li><li>Agree not to submit a high volume of low-quality reports.</li></ul><p>Once a researcher has established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), <strong>the researcher must stop their test, notify NSF immediately, and not disclose the data to anyone else.</strong></p></div> </section> </div> </div> </div> </div> </div> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="test-methods-cae" class="text__title">Test methods</h2> <div class="text__content text-formatted"><p>The following test methods are <strong>not</strong> authorized:</p><ul><li>Network denial of service or distributed denial of service (DoS or DDoS) attack tests or other tests that impair access to or damage a system or data.</li><li>Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing) or any other non-technical vulnerability testing.</li></ul></div> </section> </div> </div> </div> </div> </div> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="scope-32b" class="text__title">Scope</h2> <div class="text__content text-formatted"><p>NSF's Vulnerability Disclosure Policy applies to all NSF internet-accessible systems and services. This includes the following domain names and their subdomains:</p><ul><li>*.nsf.gov</li><li>*.research.gov</li><li>*.sac.gov</li><li>*.usap.gov</li></ul><p>Vulnerabilities found in systems from NSF vendors fall outside the policy's scope and should be reported directly to the vendor according to the vendor's disclosure policy.</p></div> </section> </div> </div> </div> </div> </div> <div class="palette palette--light-gray layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="reporting-a-vulnerability-901" class="text__title">Reporting a vulnerability</h2> <div class="text__content text-formatted"><p>Researchers who discover a potential vulnerability that may compromise NSF data or services are asked to follow the notification process below:</p></div> </section> </div> <div class="block block-layout-builder block-inline-blockcomponent-accordion nsf-component usa-accordion js-first-collapsed"> <h2 class="usa-accordion__heading"> <button type="button" class="usa-accordion__button" aria-controls="item-1y1525164304" aria-expanded="true" > Step 1: Notify NSF </button> </h2><div class="usa-accordion__content text-formatted field field-accordion" id="item-1y1525164304" class="field field-accordion" data-component-id="nsf_theme:accordion-item"> <p><p>Send notification of a potential vulnerability through NSF's <a href="https://bugcrowd.com/nsf-vdp">Vulnerability Disclosure Policy Platform</a>. Please provide the following information:</p><ul type="disc"><li><strong>Description of the vulnerability</strong>: Describe the potential vulnerability and the potential impact of exploitation.</li><li><strong>Location and potential impact</strong>: Provide the URL or other identifier of the vulnerability's location and the assessment conducted of the potential impact of the vulnerability.</li><li><strong>Technical information to reproduce the finding</strong>: Provide technical information so that NSF IT specialists may investigate the finding, including the ability to reproduce the finding. Provide a detailed description of the steps needed to reproduce the vulnerability. Proof-of-concept scripts or screenshots are helpful.</li><li><strong>Potential proof-of-concept code</strong>: Provide a potential proof-of-concept code if possible.</li><li><strong>The researcher's acknowledgment of the following statement</strong>: "By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against the U.S. Government related to your submission."</li></ul><p>Researcher submissions are acknowledged <em>within three business days</em> of submission.</p><p><strong>Researchers are asked to refrain from public announcement or discussion of their potential vulnerability findings for 90 business days from the submission date to allow investigation and mitigation by NSF IT specialists.</strong></p></p> </div> <h2 class="usa-accordion__heading"> <button type="button" class="usa-accordion__button" aria-controls="item-2N1597587274" aria-expanded="true" > Step 2: NSF acknowledgment </button> </h2><div class="usa-accordion__content text-formatted field field-accordion" id="item-2N1597587274" class="field field-accordion" data-component-id="nsf_theme:accordion-item"> <p><p>NSF will coordinate with the researcher as openly and as quickly as possible:</p><ul type="disc"><li><em>Within three business days</em>, NSF will acknowledge report receipt.</li><li>To the best of NSF's ability, NSF will confirm the existence of the vulnerability to the researcher and be as transparent as possible about remediation, including on issues or challenges that may delay resolution.</li><li>NSF will maintain an open dialogue to discuss issues.</li></ul></p> </div> <h2 class="usa-accordion__heading"> <button type="button" class="usa-accordion__button" aria-controls="item-3i253644" aria-expanded="true" > Step 3: NSF investigation </button> </h2><div class="usa-accordion__content text-formatted field field-accordion" id="item-3i253644" class="field field-accordion" data-component-id="nsf_theme:accordion-item"> <p><p>NSF IT specialists are responsible for beginning an investigation of publicly reported potential vulnerabilities <em>within three business days</em> of submission.</p><p>NSF IT specialists follow established internal procedures to mitigate potential vulnerabilities. NSF IT specialists will inform the researcher on mitigation or resolution if possible.</p></p> </div> </div> </div> </div> </div> </div> <div class="layout-container--wrapper nsf-layout nsf-layout--base full-browser-width"> <div class = "nsf-layout--outer"> <div class = "nsf-layout--inner"> <div class="layout__region layout__region--main"> <div class="block block-layout-builder block-inline-blockcomponent-text nsf-component"> <section class="text__container"> <h2 id="questions-ff1" class="text__title">Questions</h2> <div class="text__content text-formatted"><p>Questions regarding this policy may be sent to <a href="mailto:dis-secteam@nsf.gov">dis-secteam@nsf.gov</a>. NSF also invites researchers to contact NSF with suggestions for improving this policy.</p></div> </section> </div> </div> </div> </div> </div> <div class="node_view"></div> </div> </article> </div> </div> </div> </div> </div> </main> </div> <div class="usa-footer__return-to-top"> <div class="usa-footer__return-to-top--inner"> <a class="usa-button usa-button--secondary usa-button__link" href="#"><span class="arrow"></span>Top</a> </div> </div> <footer class="usa-footer usa-footer--medium" role="contentinfo"> <div class="usa-footer__secondary-section usa-section"> <div class="grid-container"> <div class="grid-row grid-gap-2 nsf--secondary-footer"> <div class="usa-agency-information desktop:grid-col-4"> <div> <div> <div class="usa-logo"> <a class="logo logo-img" href="/" title="NSF - National Science Foundation - Home" aria-label="Home"> <div class="logo__wrapper logo--desktop"> <img src="/themes/custom/nsf_theme/components/molecules/logo/logo-desktop--white.svg" alt="NSF - National Science Foundation - Home" class="logo__image logo__item" /> </div> <div class="logo__wrapper logo--mobile"> <img src="/themes/custom/nsf_theme/components/molecules/logo/logo-desktop--white.svg" alt="NSF - National Science Foundation - Home" class="logo__image logo__item"/> </div> </a> </div> </div> </div> <div class="usa-footer__contact-links"> <address> <div class="usa-footer__contact-heading">2415 Eisenhower Ave Alexandria, VA 22314</div> <div><a class="nsf--phone" href="tel:(703)292-5111">(703) 292-5111</a></div> </address> <div class="region region-footer"> <div id="block-emailupdates" class="block block-block-content block-block-content0888028e-c0e0-438c-8538-7e831c88f2d0 block-emailupdates"> <div class="clearfix text-formatted field body"><p><span class="icon__envelope"><svg aria-hidden="true" fill="currentColor" viewBox="0 0 20 16" height="16" width="20"><path clip-rule="evenodd" d="M18 0H2C0.9 0 0.00999999 0.9 0.00999999 2L0 14C0 15.1 0.9 16 2 16H18C19.1 16 20 15.1 20 14V2C20 0.9 19.1 0 18 0ZM18 4L10 9L2 4V2L10 7L18 2V4Z" fill="currentColor" fill-rule="evenodd" /></svg></span><a class="nsf--emailsignup" href="https://service.govdelivery.com/accounts/USNSF/subscriber/new?qsp=823">Sign up for email updates</a></p></div> </div> <div id="block-socialmedialinks-footer" class="block-social-media-links block block-social-media-links-block block-socialmedialinks-footer"> <ul class="social-media-links--platforms platforms inline horizontal"> <li> <a class="social-media-link-icon--facebook" href="https://www.facebook.com/US.NSF" > <img src="/libraries/nsf_iconset/facebook-icon_square_32x32.png" alt="Facebook"> </a> </li> <li> <a class="social-media-link-icon--twitter" href="https://www.twitter.com/NSF" aria-label="X (formerly known as Twitter)" title="X (formerly known as Twitter)" > <img src="/libraries/nsf_iconset/twitter-icon_square_32x32.png" alt="Twitter"> </a> </li> <li> <a class="social-media-link-icon--instagram" href="https://www.instagram.com/nsfgov" > <img src="/libraries/nsf_iconset/instagram-icon_square_32x32.png" alt="Instagram"> </a> </li> <li> <a class="social-media-link-icon--youtube" href="https://www.youtube.com/user/VideosatNSF" > <img src="/libraries/nsf_iconset/youtube-icon_square_32x32.png" alt="YouTube"> </a> </li> <li> <a class="social-media-link-icon--linkedin" href="https://www.linkedin.com/company/national-science-foundation" > <img src="/libraries/nsf_iconset/linkedin-icon_square_32x32.png" alt="LinkedIn"> </a> </li> <li> <a class="social-media-link-icon--nsfrss" href="https://nsf.gov/rss" > <img src="/libraries/nsf_iconset/nsfrss-icon_square_32x32.png" alt="RSS"> </a> </li> </ul> </div> </div> </div> </div> <div class="desktop:grid-col-8"> <div class="region region-footer-menus"> <nav aria-labelledby="block-footer-menu" id="block-footer" class="block block-menu navigation menu--footer"> <h2 class="visually-hidden menu--footer__title" id="block-footer-menu" >Footer</h2> <div class="menu--footer__content"> <ul class="menu--footer__list"> <li class="menu-item--top menu-item"> <h3><span>About Us</span></h3> <ul class="menu--footer__sublist"> <li class="menu-item--sub menu-item"> <a href="/about" data-drupal-link-system-path="group/275">About NSF</a> </li> <li class="menu-item--sub menu-item"> <a href="/careers" data-drupal-link-system-path="node/1989">Careers</a> </li> <li class="menu-item--sub menu-item"> <a href="/about/directorates-offices" data-drupal-link-system-path="node/95240">Our Directorates & Offices</a> </li> <li class="menu-item--sub menu-item"> <a href="/nsb" data-drupal-link-system-path="group/2">National Science Board</a> </li> <li class="menu-item--sub menu-item"> <a href="/about/contact-us" data-drupal-link-system-path="node/95239">Contact Us</a> </li> </ul> </li> <li class="menu-item--top menu-item"> <h3><span>What's New</span></h3> <ul class="menu--footer__sublist"> <li class="menu-item--sub menu-item"> <a href="/news" data-drupal-link-system-path="node/11137">News & Announcements</a> </li> <li class="menu-item--sub menu-item"> <a href="/events" data-drupal-link-system-path="events">Events</a> </li> <li class="menu-item--sub menu-item"> <a href="/science-matters" data-drupal-link-system-path="group/247">Science Matters Blog</a> </li> </ul> </li> <li class="menu-item--top menu-item"> <h3><span>Information For</span></h3> <ul class="menu--footer__sublist"> <li class="menu-item--sub menu-item"> <a href="/funding" data-drupal-link-system-path="group/283">Funding Seekers</a> </li> <li class="menu-item--sub menu-item"> <a href="/awards" data-drupal-link-system-path="group/282">NSF Awardees</a> </li> <li class="menu-item--sub menu-item"> <a href="/about/congress" data-drupal-link-system-path="group/295">Congress </a> </li> <li class="menu-item--sub menu-item"> <a href="/news/media-toolkits" data-drupal-link-system-path="node/81900">Media</a> </li> <li class="menu-item--sub menu-item"> <a href="/focus-areas/education#educational-resources" data-drupal-link-system-path="node/95653">Educators</a> </li> <li class="menu-item--sub menu-item"> <a href="/about/meetings" data-drupal-link-system-path="group/293">Panelists</a> </li> </ul> </li> <li class="menu-item--top menu-item"> <h3><span>Resources</span></h3> <ul class="menu--footer__sublist"> <li class="menu-item--sub menu-item"> <a href="/documents-reports" data-drupal-link-system-path="node/115745">Documents & Reports</a> </li> <li class="menu-item--sub menu-item"> <a href="/about/budget" data-drupal-link-system-path="node/95097">Budget, Performance & Financial Reporting</a> </li> <li class="menu-item--sub menu-item"> <a href="/public-access" data-drupal-link-system-path="node/5619">Public Access</a> </li> <li class="menu-item--sub menu-item"> <a href="/stopping-harassment" data-drupal-link-system-path="node/95035">Stopping Harassment</a> </li> <li class="menu-item--sub menu-item"> <a href="/research-security" data-drupal-link-system-path="node/5664">Research Security</a> </li> <li class="menu-item--sub menu-item"> <a href="/policies/scientific-integrity" data-drupal-link-system-path="node/96952">Scientific Integrity</a> </li> <li class="menu-item--sub menu-item"> <a href="https://www.research.gov/research-web/">Research.gov</a> </li> </ul> </li> </ul> </div> </nav> </div> </div> </div> </div> </div> <div class="bottom-menu--wrapper"> <div class="grid-container bottom-menu"> <div class="region region-bottom-menu"> <nav aria-labelledby="block-requiredpolicylinks-menu" id="block-requiredpolicylinks" class="block block-menu navigation menu--required-policy-links"> <h2 class="visually-hidden menu--required-policy-links__title" id="block-requiredpolicylinks-menu" >Required Policy Links</h2> <div class="menu--required-policy-links__content"> <ul class="menu"> <li class="menu-item menu-item--active-trail"> <a href="/policies/digital/vulnerability-disclosure" class="is-active" data-drupal-link-system-path="node/113004">Vulnerability disclosure</a> </li> <li class="menu-item"> <a href="/oig" data-drupal-link-system-path="group/238">Inspector General</a> </li> <li class="menu-item"> <a href="/policies/privacy" data-drupal-link-system-path="node/111124">Privacy</a> </li> <li class="menu-item"> <a href="/policies/foia" data-drupal-link-system-path="node/109321">FOIA</a> </li> <li class="menu-item"> <a href="/od/ocr/no-fear-act" data-drupal-link-system-path="node/112949">No FEAR Act</a> </li> <li class="menu-item"> <a href="https://www.usa.gov/">USA.gov</a> </li> <li class="menu-item"> <a href="https://www.nsf.gov/policies/accessibility">Accessibility</a> </li> <li class="menu-item"> <a href="/policies/nsf_plain_language.jsp">Plain language</a> </li> </ul> </div> </nav> </div> </div> </div> </footer> </div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/113004","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":true,"extTitleNoOverride":false,"extNoreferrer":false,"extFollowNoOverride":true,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.*\\.gov\\\/)|(.*\\.mil\\\/)|((public|service)\\.govdelivery\\.com\\\/)|(web\\\/)|(.*\\.amazonaws\\.com\\\/)|(.*\\.akamaihd\\.net\\\/)|(nsf\\.widencollective\\.com\\\/)|(www\\.facebook\\.com\\\/)|(www\\.instagram\\.com\\\/)|(www\\.linkedin\\.com\\\/)|(www\\.twitter\\.com\\\/)|(www\\.youtube\\.com\\\/)","extInclude":"","extCssExclude":".extlink-extra-leaving, .no-extlink-icon, .twitter-tweet","extCssInclude":"","extCssExplicit":"","extAlert":false,"extAlertText":"This link will take you to an external web site. We are not responsible for their content.","extHideIcons":false,"mailtoClass":"0","telClass":"tel","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extPreventOrphan":false,"extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"collapsiblock":{"active_pages":false,"slide_speed":200,"cookie_lifetime":null},"mediaFilter":{"nodeType":"layout_builder_page"},"user":{"uid":0,"permissionsHash":"6659df87c779fe26a0d591457634a18e6a952a25b743340bef68876cd02d631d"}}</script> <script src="/sites/default/files/js/js_EOJtk1kuRlk4fscGaM9jW6O7n6Mtac2yP8YGY6Y2K-w.js?scope=footer&delta=0&language=en&theme=nsf_theme&include=eJx9y90OwiAMhuEbgnFJpoOOEbuWlKLOq3fzbx550nxJnxdSMgFeA7zHMKmwuahwXzHn8Bmut2tq4Xkdt-lkMy4YMskI5KIQQW1lJInnEEXxx5j0OFcpbM3jzVB5K463onVlE5Pq9nLLlyqMGx--yvsX8yZ-h0feSkKGy78UCNUePMxbng"></script> <script src="https://static.addtoany.com/menu/page.js" async></script> <script src="/sites/default/files/js/js_Crd5plHP02uYbSHq86z0b3_d7Zd3aLDjjfp6xb2M1BE.js?scope=footer&delta=2&language=en&theme=nsf_theme&include=eJx9y90OwiAMhuEbgnFJpoOOEbuWlKLOq3fzbx550nxJnxdSMgFeA7zHMKmwuahwXzHn8Bmut2tq4Xkdt-lkMy4YMskI5KIQQW1lJInnEEXxx5j0OFcpbM3jzVB5K463onVlE5Pq9nLLlyqMGx--yvsX8yZ-h0feSkKGy78UCNUePMxbng"></script> <script src="/themes/custom/nsf_theme/js/touchpoints.min.js?stuild" defer></script> <script src="/sites/default/files/js/js_8tthYQFaGkabvgGdxCfYBbMr0FxDSZDDWeTgtIvuFgI.js?scope=footer&delta=4&language=en&theme=nsf_theme&include=eJx9y90OwiAMhuEbgnFJpoOOEbuWlKLOq3fzbx550nxJnxdSMgFeA7zHMKmwuahwXzHn8Bmut2tq4Xkdt-lkMy4YMskI5KIQQW1lJInnEEXxx5j0OFcpbM3jzVB5K463onVlE5Pq9nLLlyqMGx--yvsX8yZ-h0feSkKGy78UCNUePMxbng"></script> <script src="https://touchpoints.app.cloud.gov/touchpoints/f0b5f6ee.js" async></script> <script src="/sites/default/files/js/js_UpjI8Epd_caQAT2UutIIa-AV79daYJeboU3Nn4HyyJk.js?scope=footer&delta=6&language=en&theme=nsf_theme&include=eJx9y90OwiAMhuEbgnFJpoOOEbuWlKLOq3fzbx550nxJnxdSMgFeA7zHMKmwuahwXzHn8Bmut2tq4Xkdt-lkMy4YMskI5KIQQW1lJInnEEXxx5j0OFcpbM3jzVB5K463onVlE5Pq9nLLlyqMGx--yvsX8yZ-h0feSkKGy78UCNUePMxbng"></script> </body> </html>

CINXE.COM

Vulnerability Disclosure Policy - Policies | NSF - National Science Foundation