<!DOCTYPE html> <html lang="und" dir="ltr" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8" /> <noscript><style>form.antibot * :not(.antibot-message) { display: none !important; }</style> </noscript><meta name="description" content="Federal Communications Commission March 1, 2021 Purpose The Federal Communications Commission (FCC) is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us." /> <link rel="shortlink" href="https://www.fcc.gov/node/243972" /> <link rel="canonical" href="https://www.fcc.gov/vulnerability-disclosure-policy" /> <meta property="og:type" content="Article" /> <meta property="og:title" content="Vulnerability Disclosure Policy" /> <meta property="og:image" content="https://www.fcc.gov/sites/default/files/social-media-sharing-fcc-logo.jpg" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="text/javascript" src="/ruxitagentjs_ICA7NVfgqrux_10299241024162415.js" data-dtconfig="rid=RID_407374351|rpid=928675046|domain=fcc.gov|reportUrl=/rb_706199aa-11a3-4ff8-ba63-645d681c25d1|app=d4189a392587ff62|cuc=m6usf5hq|mel=100000|featureHash=ICA7NVfgqrux|dpvc=1|lastModification=1732099504580|tp=500,50,0|rdnt=1|uxrgce=1|agentUri=/ruxitagentjs_ICA7NVfgqrux_10299241024162415.js"></script><link rel="icon" href="/themes/custom/fcc/favicon.ico" type="image/vnd.microsoft.icon" /> <script>window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};</script> <title>Vulnerability Disclosure Policy | Federal Communications Commission</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_RIfE9Kys4e8ZQ3nLTo20h8u01dZJrq2EFlLm9eW9xzs.css?delta=0&amp;language=und&amp;theme=fcc&amp;include=eJx9jksOxSAIRTdkdEkNClbzLDZCP-7-NcZBR52Qc-4lBEDUCtwdTLCxVVYTnwEXSd3IvdjKuX51VlLejHRR2pwHIdMA8-1EeyETQ3hRIkBqJXsZGlIVYkO3lsw_h-3Yodip8wzD6aGN9UMulMUDM41g0UTPPzus9Ad0YFIc" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_N_9odMaP6QcFIEYQmHF1GDnTIUlBxFWtSQC8L94s9RI.css?delta=1&amp;language=und&amp;theme=fcc&amp;include=eJx9jksOxSAIRTdkdEkNClbzLDZCP-7-NcZBR52Qc-4lBEDUCtwdTLCxVVYTnwEXSd3IvdjKuX51VlLejHRR2pwHIdMA8-1EeyETQ3hRIkBqJXsZGlIVYkO3lsw_h-3Yodip8wzD6aGN9UMulMUDM41g0UTPPzus9Ad0YFIc" /> <script src="/sites/default/files/js/js_Cqo_oN2nFFhdOa-x3MNE4LvtQrTF2wxTqmxwVOCNxxM.js?scope=header&amp;delta=0&amp;language=und&amp;theme=fcc&amp;include=eJx9jksOxSAIRTdkdEkNClbzLDZCP-7-NcZBR52Qc-4lBEDUCtwdTLCxVVYTnwEXSd3IvdjKuX51VlLejHRR2pwHIdMA8-1EeyETQ3hRIkBqJXsZGlIVYkO3lsw_h-3Yodip8wzD6aGN9UMulMUDM41g0UTPPzus9Ad0YFIc"></script> <script src="https://use.fontawesome.com/releases/v5.13.1/js/all.js" defer crossorigin="anonymous"></script> <script src="https://use.fontawesome.com/releases/v5.13.1/js/v4-shims.js" defer crossorigin="anonymous"></script> </head> <body class="node-243972 node-type--page page-node-page page-node-243972 layout-two-sidebars path-node page-node-type-page"> <div id="skip-link" tabindex="-1"> <a href="#main-content" class="visually-hidden focusable skip-link"> Skip to main content </a> <a class="visually-hidden focusable skip-link-search" href="#edit-keys"> Skip to search </a> </div> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="node page"> <section class="usa-banner site-banner" aria-label="Official website of the United States government"> <div class="container-fluid container-lg p-0 px-lg-0"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img aria-hidden="true" class="usa-banner__header-flag" src="/themes/custom/fcc/assets/images/icons/us_flag_small.png" alt=""> </div> <div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"> <p class="usa-banner__header-text"> An official website of the United States government </p> <p class="usa-banner__header-action">Here’s how you know</p> </div> <button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner" hidden=""> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/fcc/assets/images/icons/icon-usa-gov.svg" role="img" alt="" aria-hidden="true"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong><br>A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/fcc/assets/images/icons/icon-usa-http.svg" role="img" alt="" aria-hidden="true"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong><br>A <strong>lock</strong> ( <span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description" focusable="false"> <title id="banner-lock-title">Lock</title> <desc id="banner-lock-description">Locked padlock icon</desc> <path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path> </svg> </span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <header> <nav class="navbar-expand-lg justify-content-between navbar-light sticky-top " aria-labelledby="main-navigation"> <div class="container fcc-navbar p-0" id="main-navigation"> <div class="navbar_left"> <div class="block block--fcc-branding"> <a href="/" class="header__logo navbar-brand d-flex align-items-center " aria-label="" id="logo"> <img src="/themes/custom/fcc/logo.svg" width="175" height="auto" alt="Federal Communications Commission logo" class="mr-2" /> </a> </div> </div> <div class="navbar_middle" aria-label="Main Navigation"> <nav class="nav__tabs navbar" aria-labelledby="browse-by"> <div class="collapse navbar-collapse" id="mainNavbar"> <div class="nav" role="tablist"> <ul id="browse-by" class="nav nav-tabs" role="tablist"> <li class="nav-item category"> <a class="nav-link active" id="nav-category-tab" data-bs-toggle="tab" href="#nav-category" role="tab" aria-controls="nav-category" aria-selected="true" aria-haspopup="true" aria-expanded="true"> <div id="browse-by-category" class="text-prefix">Browse by</div> <div class="upper">category</div> <div class="pointer"></div> </a> </li> <li class="nav-item bureaus-and-offices"> <a class="nav-link nav-link" id="nav-bureaus-and-offices-tab" data-bs-toggle="tab" href="#nav-bureaus-and-offices" role="tab" aria-controls="nav-bureaus-and-offices" aria-selected="false" aria-haspopup="true" aria-expanded="false"> <div id="browse-by-bureaus-and-offices" class="text-prefix">Browse by</div> <div class="upper">bureaus &amp; offices</div> <div class="pointer"></div> </a> </li> </ul> <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#mainNavbar" aria-controls="mainNavbar" aria-expanded="false" aria-label="Toggle navigation"> <i class="fas fa-bars fa-2x"></i> </button> </div> <div class="nav__menus tab-content" id="nav-tabContent"> <div class="tab-pane fade show active container" id="nav-category" role="tabpanel" aria-labelledby="nav-category-tab"> <ul class="menu"> <li id="" class="about-the-fcc bg-net about-the-fcc menu-item dropdown" style=""> <a href="/about/overview" class="about-the-fcc menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/4"> <span class="link-title"> About the FCC </span> </a> <a href="/about/overview" class="about-the-fcc menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/4"> <span class="link-title"> About the FCC </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/about/overview">About the FCC Overview</a> <a class="dropdown-item " href="/about-fcc/what-we-do">What We Do</a> <a class="dropdown-item " href="/about-fcc/rulemaking-process">Rulemaking Process</a> <a class="dropdown-item " href="/about/leadership">Leadership</a> <a class="dropdown-item " href="/about-fcc/fcc-initiatives">FCC Initiatives</a> <a class="dropdown-item " href="/about-fcc/finding-people-fcc">Find People</a> <a class="dropdown-item " href="/about-fcc/organizational-charts-fcc">Organizational Charts</a> <a class="dropdown-item " href="/about-fcc/advisory-committees-fcc">Advisory Committees</a> <a class="dropdown-item " href="/about-fcc/jobs-internships">Jobs and Internships</a> <a class="dropdown-item " href="/about-fcc/contracting">Contracting</a> <a class="dropdown-item " href="/about/strategic-plans-budget">Strategic Plans &amp; Budgets</a> <a class="dropdown-item " href="/about/contact">Contact</a> <a class="dropdown-item featured hide-mobile" href="/document/fy-2025-congressional-budget-justification">FY 2025 Congressional Budget Justification</a> <a class="dropdown-item " href="/privacy">Privacy Policy</a> <a class="dropdown-item " href="/accessibility/program">Accessibility Program</a> <div class="white-panel"></div> </div> </div> </li> <li id="" class="proceedings-actions proceedings--actions menu-item dropdown" style=""> <a href="/proceedings-actions" class="proceedings--actions menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/5"> <span class="link-title"> Proceedings &amp; Actions </span> </a> <a href="/proceedings-actions" class="proceedings--actions menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/5"> <span class="link-title"> Proceedings &amp; Actions </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/proceedings-actions">Proceedings and Actions Overview</a> <a class="dropdown-item " href="https://www.fcc.gov/ecfs">Electronic Comment Filing System (ECFS)</a> <a class="dropdown-item " href="/documents">Commission Documents (EDOCS)</a> <a class="dropdown-item " href="/rulemaking/most-active-proceedings">Most Active Proceedings</a> <a class="dropdown-item " href="/items-on-circulation">Items on Circulation</a> <a class="dropdown-item " href="/proceedings-actions/ex-parte">Ex-Parte</a> <a class="dropdown-item " href="/proceedings-actions/daily-digest">Daily Digest</a> <a class="dropdown-item " href="/proceedings-actions/mergers-and-acquisitions">Mergers &amp; Transactions</a> <a class="dropdown-item " href="/auctions">Auctions</a> <div class="white-panel"></div> </div> </div> </li> <li id="" class="licensing-databases licensing--databases menu-item dropdown" style=""> <a href="/licensing" data-featured-item="0" show-only-megamenu-desktop="0" class="licensing--databases menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/27800"> <span class="link-title"> Licensing &amp; Databases </span> </a> <a href="/licensing" data-featured-item="0" show-only-megamenu-desktop="0" class="licensing--databases menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/27800"> <span class="link-title"> Licensing &amp; Databases </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/licensing">Overview</a> <a class="dropdown-item " href="/licensing-databases/licensing">About Licensing</a> <a class="dropdown-item " href="/licensing-databases/search-fcc-databases">Databases</a> <a class="dropdown-item " href="/licensing-databases/fees">Fees</a> <a class="dropdown-item " href="/licensing-databases/forms">Forms</a> <a class="dropdown-item " href="/licensing-databases/commission-registration-system-fcc">FCC Registration System (CORES)</a> <a class="dropdown-item " href="/licensing-databases/system-notifications">System Alerts &amp; Notifications</a> <a class="dropdown-item " href="https://www.fcc.gov/asr">ASR</a> <a class="dropdown-item " href="/licensing-databases/fcc-user-login">CEFS</a> <a class="dropdown-item " href="https://www.fcc.gov/coals">COALS</a> <a class="dropdown-item " href="/licensing-databases/commission-registration-system-fcc">CORES</a> <a class="dropdown-item " href="/general/disaster-information-reporting-system-dirs-0">DIRS</a> <a class="dropdown-item " href="https://www.fcc.gov/eas">EA</a> <a class="dropdown-item " href="https://www.fcc.gov/ecfs/">ECFS</a> <a class="dropdown-item " href="/edocs">EDOCS</a> <a class="dropdown-item " href="https://apps.fcc.gov/oetcf/els/index.cfm">ELS</a> <a class="dropdown-item " href="https://apps.fcc.gov/etfs/">ETFS</a> <a class="dropdown-item " href="/general/eas-test-reporting-system">ETRS</a> <a class="dropdown-item " href="https://fjallfoss.fcc.gov/General_Menu_Reports/">GenMen</a> <a class="dropdown-item " href="/wireless/bureau-divisions/mobility-division/amateur-radio-service">HAM</a> <a class="dropdown-item " href="https://apps.fcc.gov/oetcf/kdb/index.cfm">KDB</a> <a class="dropdown-item " href="/media/television/childrens-educational-television-reporting-form-2100-schedule-h">KIDVID</a> <a class="dropdown-item " href="https://enterpriseefiling.fcc.gov/dataentry/login.html">LMS</a> <a class="dropdown-item " href="https://licensing.fcc.gov/myibfs/">ICFS</a> <a class="dropdown-item " href="/network-outage-reporting-system-nors">NORS</a> <a class="dropdown-item " href="https://publicfiles.fcc.gov">PIF</a> <a class="dropdown-item " href="https://www.fcc.gov/pirate-database">PIRATE</a> <a class="dropdown-item " href="https://fccprod.servicenowservices.com/psix-esix">PSIX-ESIX</a> <a class="dropdown-item " href="https://apps.fcc.gov/cores/html/coresintermediate.html">RLD</a> <a class="dropdown-item " href="https://apps.fcc.gov/tcb/">TCB</a> <a class="dropdown-item " href="https://www.fcc.gov/uls">ULS</a> <a class="dropdown-item " href="https://urs.fcc.gov">URS</a> <a class="dropdown-item " href="https://www.fcc.gov/VPDRegistry">VPD</a> <div class="white-panel"></div> </div> </div> </li> <li id="" class="report-research bg-net reports--research menu-item dropdown" style=""> <a href="/reports-research" class="reports--research menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/6"> <span class="link-title"> Reports &amp; Research </span> </a> <a href="/reports-research" class="reports--research menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/6"> <span class="link-title"> Reports &amp; Research </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/reports-research">Reports and Data Overview</a> <a class="dropdown-item " href="/reports-research/reports">Reports</a> <a class="dropdown-item " href="/reports-research/data">Data</a> <a class="dropdown-item " href="/reports-research/guides">Guides</a> <a class="dropdown-item " href="/reports-research/maps">Maps</a> <a class="dropdown-item " href="/reports-research/working-papers">Working Papers</a> <a class="dropdown-item " href="/reports-research/developers">For Developers</a> <a class="dropdown-item featured hide-mobile" href="/ric">Reference Information Center (RIC) </a> <a class="dropdown-item " href="/reports-research/workload-and-operations-dashboard">Workload Dashboard</a> <div class="white-panel"></div> </div> </div> </li> <li id="" class="news-events bg-net news--events menu-item dropdown" style=""> <a href="/news-events" class="news--events menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/7"> <span class="link-title"> News &amp; Events </span> </a> <a href="/news-events" class="news--events menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/7"> <span class="link-title"> News &amp; Events </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/news-events">News and Events Overview</a> <a class="dropdown-item " href="/news-events/headlines">Headlines</a> <a class="dropdown-item " href="/news-events/events/open-commission-meetings">Commission Meetings</a> <a class="dropdown-item " href="/news-events/events">Events</a> <a class="dropdown-item " href="/news-events/events/archived">Archived Events</a> <a class="dropdown-item " href="/news-events/podcast">FCC Podcast</a> <a class="dropdown-item " href="/news-events/notes">Notes from the FCC</a> <a class="dropdown-item " href="/press-resources">Press Resources</a> <a class="dropdown-item " href="/news-events/blog">FCC Blog</a> <a class="dropdown-item " href="/news-events/rss-feeds-and-email-updates-fcc">RSS Feeds &amp; Email Signup</a> <a class="dropdown-item featured hide-mobile" href="/november-2024-open-commission-meeting">November 2024 Open Commission Meeting</a> <div class="white-panel"></div> </div> </div> </li> <li id="" class="for-consumers menu-item dropdown" style=""> <a href="/consumers" data-featured-item="0" show-only-megamenu-desktop="0" class="for-consumers menu-item dropdown dropdown-toggle mobile-only" aria-haspopup="true" aria-expanded="false" data-toggle="dropdown" data-drupal-link-system-path="node/8"> <span class="link-title"> For Consumers </span> </a> <a href="/consumers" data-featured-item="0" show-only-megamenu-desktop="0" class="for-consumers menu-item dropdown dropdown-toggle desktop-only" aria-haspopup="true" aria-expanded="false" data-drupal-link-system-path="node/8"> <span class="link-title"> For Consumers </span> </a> <div class="dropdown-menu"> <div class="menu-container"> <a class="dropdown-item " href="/consumers">Help Center Overview</a> <a class="dropdown-item circularlink col-02" href="https://consumercomplaints.fcc.gov/hc/en-us">Consumer Complaint Center</a> <a class="dropdown-item " href="/general/dro">Disability Rights</a> <a class="dropdown-item " href="/news-events/headlines/509">Headlines</a> <a class="dropdown-item " href="/consumers/social-media">Social Media</a> <a class="dropdown-item circularlink col-03" href="/consumers/guides/stop-unwanted-robocalls-and-texts">Robocalls</a> <a class="dropdown-item circularlink col-02" href="https://consumercomplaints.fcc.gov?from=home">Consumer Complaint Center</a> <div class="white-panel"></div> </div> </div> </li> </ul> </ul> </div> <div class="tab-pane fade container" id="nav-bureaus-and-offices" role="tabpanel" aria-labelledby="nav-bureaus-and-offices-tab"> <ul class="menu"> <li id="" class="consumer menu-item" style=""> <a href="/consumer-governmental-affairs" data-featured-item="0" show-only-megamenu-desktop="0" data-drupal-link-system-path="node/1615"> <span class="link-title"> Consumer </span> </a> </li> <li class="enforcement menu-item"> <a href="/enforcement" data-drupal-link-system-path="node/1616"> <span class="link-title"> Enforcement </span> </a> </li> <li id="" class="media menu-item" style=""> <a href="/media" data-featured-item="0" show-only-megamenu-desktop="0" title="Media" data-drupal-link-system-path="node/1624"> <span class="link-title"> Media </span> </a> </li> <li id="" class="public-safety menu-item" style=""> <a href="/public-safety-and-homeland-security" data-featured-item="0" show-only-megamenu-desktop="0" data-drupal-link-system-path="node/1635"> <span class="link-title"> Public Safety </span> </a> </li> <li class="space menu-item"> <a href="/space" title="Space" data-drupal-link-system-path="node/257164"> <span class="link-title"> Space </span> </a> </li> <li id="" class="wireless menu-item" style=""> <a href="/wireless-telecommunications" data-featured-item="0" show-only-megamenu-desktop="0" data-drupal-link-system-path="node/1638"> <span class="link-title"> Wireless </span> </a> </li> <li id="" class="wireline menu-item" style=""> <a href="/wireline-competition" data-featured-item="0" show-only-megamenu-desktop="0" data-drupal-link-system-path="node/1639"> <span class="link-title"> Wireline </span> </a> </li> <li id="" class="offices menu-item" style=""> <a href="/offices-bureaus" data-drupal-link-system-path="node/9"> <span class="link-title"> Offices </span> </a> </li> </ul> </ul> </div> </div> </div> </nav> </div> <div class="navbar_right"> <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#mainNavbar" aria-controls="mainNavbar" aria-expanded="false" aria-label="Toggle navigation"> <i class="fas fa-bars fa-2x"></i> </button> <div class="ml-auto" id="block-search-form"> <div id="block-fcc-blocks-search-magnifying-glass" class="block block-fcc-blocks first odd"> <a role="button" aria-controls="navigation" tabindex="0" class="magnifying-glass" title="Search"> <span class="btn-inner btn-inner-menu">Search</span> </a> </div> <div class="block block--globalsearchblock"> <form class="search-block-form needs-validation container form-inline" data-drupal-selector="search-block-form" action="/vulnerability-disclosure-policy" method="post" id="search-block-form" accept-charset="UTF-8" id="block-form-region"> <button aria-label="Close" class="close-button">X</button> <div class="js-form-item form-item form-type-search js-form-type-search form-item-keys js-form-item-keys form-no-label form-group"> <label for="edit-keys" class="visually-hidden">Search</label> <input data-drupal-selector="edit-keys" type="search" id="edit-keys" name="keys" value="" size="20" maxlength="128" placeholder="Search" class="form-search form-control" /> </div> <input autocomplete="off" data-drupal-selector="form-jk9znwo-xdzeskjrrkf257rc-otavsmblv-e9owqgwm" type="hidden" name="form_build_id" value="form-JK9znWo_XdZeSkjRrkF257rC-OTavsmblv-E9owQgwM" class="form-control"> <input data-drupal-selector="edit-search-block-form" type="hidden" name="form_id" value="search_block_form" class="form-control"> <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions--2"> <button class="btn btn-primary button js-form-submit form-submit btn btn-primary" data-drupal-selector="edit-submit" type="submit" id="edit-submit--2" name="op" value="Search"> </button> </div> </form> </div> </div> </div> </div> </nav> </header> <section class="container-fluid page_header"> <div class="page_header_container"> <div class="container"> <div class="breadcrumbs"> <div class="block block--breadcrumbs"> <nav aria-label="breadcrumb" class=""> <ol class="breadcrumb"> <li class="breadcrumb-item "> <a href="/">Home</a> </li> <li class="breadcrumb-item "> <a href="https://www.fcc.gov/managing-director">Managing Director</a> </li> </ol> </nav> </div> <div class="block block--fcc-page-title"> <h1 class="display-4"> <span>Vulnerability Disclosure Policy</span> </h1> </div> </div> </div> </div> </section> <main role="main" class="container"> <div class="row"> <div class="col-12 col-sm-12 col-md-12 main-content" > <div data-drupal-messages-fallback class="hidden"></div> <article class="node page page--full"> <div> <div class="row"> <div class="col-md-12"> <div class="page-body"> <div class="page__body"> <h4><em>Federal Communications Commission<br> March 1, 2021</em></h4> <h3><strong>Purpose</strong></h3> <p>The Federal Communications Commission (FCC) is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.</p> <p>This policy describes <strong>what systems and types of research</strong> are covered under this policy, <strong>how to send us</strong> vulnerability reports, and <strong>how long</strong> we ask security researchers to wait before publicly disclosing vulnerabilities.</p> <p>We encourage you to contact us to report potential vulnerabilities in our systems.</p> <h3><strong>Scope</strong></h3> <p>All fcc.gov domains are within scope of the FCC’s vulnerability disclosure program and are authorized for testing. Vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at <a href="mailto:NSOC-Monitor@fcc.gov?subject=VDP : Vulnerability Report&amp;body=1.%20Share%20where%20you%20found%20the%20vulnerability%20(examples%20may%20be%20a%20hostname,%20URL,%20IP%20address,%20or%20radio%20frequency%20band):%0D%0A2.%20Describe%20the%20vulnerability%20and%20its%20potential%20impact:%0D%0A3.%20Give%20a%20detailed%20description%20of%20the%20steps%20needed%20to%20reproduce%20the%20vulnerability%20(links%20to%20proof%20of%20concept%20scripts%20or%20screenshots%20are%20helpful):%0D%0A4.%20Is%20there%20anything%20else%20we%20should%20know?:%0D%0A5.%20You%20may%20share%20your%20email%20address%20so%20that%20we%20can%20contact%20you%20about%20your%20report:">NSOC-Monitor@fcc.gov.</a> before starting your research. Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. The scope of this policy will increase over time.</p> <h3><strong>Policy</strong></h3> <h4><strong>Authorization</strong></h4> <p><strong>If the FCC determines that you made a good faith¹ effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve potential issues quickly, and the FCC will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.</strong></p> <hr> <p>¹ “In the context of [the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 20-01], “good faith” means security research conducted with the intent to follow an agency’s [Vulnerability Disclosure Policy (VDP)] without any malicious motive; [the FCC] may evaluate an individual’s intent on multiple bases, including by their actions, statements, and the results of their actions. In other words, good faith security research means accessing a computer or software solely for purpose of testing or investigating a security flaw or vulnerability and disclosing those findings in alignment with the VDP. The security researcher’s actions should be consistent with an attempt to improve security and to avoid doing harm, either by unwarranted invasions of privacy or causing damage to property.” Additional information on what is meant by good faith can be found at <a href="https://cyber.dhs.gov/bod/20-01/#what-does-the-directive-mean-by-good-faith">https://cyber.dhs.gov/bod/20-01/#what-does-the-directive-mean-by-good-f…</a>.</p> <h4><strong>Guidelines</strong></h4> <p>Under this policy, “research” means activities in which you:</p> <ul> <li>Notify us as soon as possible after you discover a real or potential security issue.</li> <li>Make every effort to avoid privacy breaches, degradation of user experience, disruption to production systems, and destruction or manipulation of data. In the event you encounter personally identifiable information during your testing, you will immediately cease testing and notify the FCC.</li> <li>Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.</li> <li>Provide us a minimum of 90 day’s to resolve the issue before requesting to publicly disclose the report.</li> <li>Do not submit a high volume of low-quality reports</li> </ul> <p>Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), <strong>you must stop your test, notify us immediately, and not disclose this data to anyone else</strong>.</p> <h4><strong>Test methods</strong></h4> <p>The following test methods are not authorized:</p> <ul> <li>Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data (Such as Brute Force Testing).</li> <li>Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.&nbsp;</li> </ul> <h3><strong>Applicable Laws/Guidance</strong></h3> <ul> <li><a href="https://cyber.dhs.gov/bod/20-01/">Binding Operational Directive (BOD) 20-01, available at: https://cyber.dhs.gov/bod/20-01/.</a></li> </ul> <h3><strong>Information and Assistance</strong></h3> <h4><strong>Reporting a vulnerability</strong></h4> <p>Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely the FCC, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their <a href="https://www.cisa.gov/coordinated-vulnerability-disclosure-process">coordinated vulnerability disclosure process</a>.</p> <p>We accept vulnerability reports through our bugcrowd program (<a href="https://bugcrowd.com/fcc-vdp">https://bugcrowd.com/fcc-vdp</a>) and questions can be directed to <a href="mailto:NSOC-Monitor@fcc.gov?subject=VDP : Vulnerability Report&amp;body=1.%20Share%20where%20you%20found%20the%20vulnerability%20(examples%20may%20be%20a%20hostname,%20URL,%20IP%20address,%20or%20radio%20frequency%20band):%0D%0A2.%20Describe%20the%20vulnerability%20and%20its%20potential%20impact:%0D%0A3.%20Give%20a%20detailed%20description%20of%20the%20steps%20needed%20to%20reproduce%20the%20vulnerability%20(links%20to%20proof%20of%20concept%20scripts%20or%20screenshots%20are%20helpful):%0D%0A4.%20Is%20there%20anything%20else%20we%20should%20know?:%0D%0A5.%20You%20may%20share%20your%20email%20address%20so%20that%20we%20can%20contact%20you%20about%20your%20report:">NSOC-Monitor@fcc.gov.</a>. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.</p> <h4><strong>What we would like to see from you</strong></h4> <p>In order to help us triage and prioritize submissions, we recommend that your reports:</p> <ul> <li>Describe the location the vulnerability was discovered and the potential impact of exploitation.</li> <li>Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).</li> <li>Be in English, if possible.</li> </ul> <h4><strong>What you can expect from us</strong></h4> <p>When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.</p> <ul> <li>Within 5 business days, we will acknowledge that your report has been received.</li> <li>To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including any issues or challenges that may delay resolution.</li> <li>We will maintain an open dialogue to discuss issues.</li> </ul> <h4><strong>Questions</strong></h4> <p>Questions regarding this policy may be sent to <strong><a href="mailto:NSOC-Monitor@fcc.gov?subject=VDP : Vulnerability Report&amp;body=1.%20Share%20where%20you%20found%20the%20vulnerability%20(examples%20may%20be%20a%20hostname,%20URL,%20IP%20address,%20or%20radio%20frequency%20band):%0D%0A2.%20Describe%20the%20vulnerability%20and%20its%20potential%20impact:%0D%0A3.%20Give%20a%20detailed%20description%20of%20the%20steps%20needed%20to%20reproduce%20the%20vulnerability%20(links%20to%20proof%20of%20concept%20scripts%20or%20screenshots%20are%20helpful):%0D%0A4.%20Is%20there%20anything%20else%20we%20should%20know?:%0D%0A5.%20You%20may%20share%20your%20email%20address%20so%20that%20we%20can%20contact%20you%20about%20your%20report:">NSOC-Monitor@fcc.gov</a></strong>. We also invite you to contact us with suggestions for improving this policy.</p> </div> </div> <div class="meta-container"> <div class="bureau-office mb-3 mt-3"> <strong>Bureau/Office:</strong> <div class="page__field-bureau-office-ref"> <div class="field__items"> <div class="field__item"><a href="/managing-director" hreflang="und">Managing Director</a></div> </div> </div> </div> <div class="tags"> <div class="page__field-tags"> <div class="field__label fw-bold"> Tags<span class="field__label__suffix mr-1">:</span> </div> <ul id="tags-list"> <li><a href="/tags/fcc-management-policies" hreflang="und">FCC Management &amp; Policies</a> <li><a href="/tags/policy" hreflang="und">Policy</a></li> </li> </ul> </div> </div> <div class="date_updated mt-3"> <strong>Updated:</strong><br> Friday, October 1, 2021 </div> <div class="addToAny mt-3"> <span class="a2a_kit a2a_kit_size_32 addtoany_list" data-a2a-url="https://www.fcc.gov/vulnerability-disclosure-policy" data-a2a-title="Vulnerability Disclosure Policy"><a class="a2a_button_facebook"></a><a class="a2a_button_twitter"></a><a class="a2a_button_linkedin"></a><a class="a2a_button_pinterest"></a><a class="a2a_button_sms"></a><a class="a2a_button_facebook_messenger"></a><a class="a2a_button_email"></a><a class="a2a_button_copy_link"></a><a class="a2a_dd addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.fcc.gov%2Fvulnerability-disclosure-policy&amp;title=Vulnerability%20Disclosure%20Policy"></a></span> </div> </div> </div> <div class="sidebar-block col-md-4"> </div> </div> </div> </div> </article> </div> </div> </main> <footer > <row> <div class="container text-md-left mt-5 footer-section"> <!-- Grid row --> <div class="mt-3 footergriditems row"> <!-- Grid column first footer --> <div class="col-md-4 col-xs-12 col-sm-12 col-lg-4 col-xl-4 footer-first grid-item"> <div class="block--type-fcc-contact-footer block block--fcc-contact-footer block--footerone"> <div class="fcc-contact-footer__field-text"> <div class="field__label fw-bold visually-hidden"> Text </div> <div class="field__item">Federal Communications Commission<br /> 45 L Street NE<br /> Washington, DC 20554</div> </div> <div class="fcc-contact-footer__field-link"> <div class="field__label fw-bold visually-hidden"> Link </div> <div class="field__items"> <div class="field__item"><a href="tel:+18882255322">Phone: 1-888-225-5322</a></div> <div class="field__item"><a href="tel:+18444322275">ASL Video Call: 1-844-432-2275</a></div> <div class="field__item"><a href="tel:+18664180232">Fax: 1-866-418-0232</a></div> <div class="field__item"><a href="/about/contact">Contact Us</a></div> <div class="field__item"><a href="/visiting-fcc-facilities">Visiting FCC Facilities</a></div> </div> </div> </div> </div> <!-- Grid column second footer --> <div class="col-md col-xs-12 col-sm-12 footer-second grid-item"> <div class="block--type-fcc-contact-footer block block--fcc-contact-footer block--footertwo"> <div class="fcc-contact-footer__field-link"> <div class="field__label fw-bold visually-hidden"> Link </div> <div class="field__items"> <div class="field__item"><a href="/general/website-notices">Website Policies &amp; Notices</a></div> <div class="field__item"><a href="/privacy">Privacy Policy</a></div> <div class="field__item"><a href="/foia">FOIA</a></div> <div class="field__item"><a href="/general/no-fear-act-data">No Fear Act Data</a></div> <div class="field__item"><a href="/digitalstrategy">Digital Strategy</a></div> <div class="field__item"><a href="/general/open-government-fcc">Open Government Directive</a></div> <div class="field__item"><a href="/plain-writing-fcc">Plain Writing Act</a></div> <div class="field__item"><a href="/news-events/rss-feeds-and-email-updates-fcc">RSS Feeds &amp; Email Updates</a></div> <div class="field__item"><a href="/accessibility/program">Accessibility</a></div> <div class="field__item"><a href="/vulnerability-disclosure-policy">Vulnerability Disclosure Policy</a></div> <div class="field__item"><a href="https://USA.gov">USA.gov</a></div> </div> </div> </div> </div> <!-- Grid column third footer --> <div class="col-md col-xs-12 col-sm-12 footer-third grid-item"> <div class="block--type-fcc-contact-footer block block--fcc-contact-footer block--footerthree"> <div class="fcc-contact-footer__field-text"> <div class="field__label fw-bold visually-hidden"> Text </div> <div class="field__item">CATEGORIES</div> </div> <div class="fcc-contact-footer__field-link"> <div class="field__label fw-bold visually-hidden"> Link </div> <div class="field__items"> <div class="field__item"><a href="/about/overview">About the FCC</a></div> <div class="field__item"><a href="/proceedings-actions">Proceedings &amp; Actions</a></div> <div class="field__item"><a href="/licensing">Licensing &amp; Databases</a></div> <div class="field__item"><a href="/reports-research">Reports &amp; Research</a></div> <div class="field__item"><a href="/news-events">News &amp; Events</a></div> <div class="field__item"><a href="/consumers">For Consumers</a></div> </div> </div> </div> </div> <!-- Grid column fourth footer --> <div class="col-md col-xs-12 col-sm-12 footer-fourth grid-item"> <div class="block--type-fcc-contact-footer block block--fcc-contact-footer block--footerfour"> <div class="fcc-contact-footer__field-text"> <div class="field__label fw-bold visually-hidden"> Text </div> <div class="field__item">BUREAUS &amp; OFFICES</div> </div> <div class="fcc-contact-footer__field-link"> <div class="field__label fw-bold visually-hidden"> Link </div> <div class="field__items"> <div class="field__item"><a href="/consumer-and-governmental-affairs">Consumer</a></div> <div class="field__item"><a href="/enforcement">Enforcement</a></div> <div class="field__item"><a href="/inspector-general">Inspector General</a></div> <div class="field__item"><a href="/media">Media</a></div> <div class="field__item"><a href="/public-safety-and-homeland-security">Public Safety</a></div> <div class="field__item"><a href="/space">Space</a></div> <div class="field__item"><a href="/wireless-telecommunications">Wireless</a></div> <div class="field__item"><a href="/wireline-competition">Wireline</a></div> <div class="field__item"><a href="/offices-bureaus">Offices</a></div> </div> </div> </div> </div> <div class="col-md-12 col-xs-12 col-sm-12 col-lg-12 col-xl-12 social-media-region"> <div class="group-social-media"> <ul class="list-inline social-media-group"> <li class="list-inline-item"><a href="https://twitter.com/fcc" class="social-media twitterx" target="_blank" rel="noopener noreferrer">Twitter</a></li> <li class="list-inline-item"><a href="https://www.linkedin.com/company/federal-communications-commission" class="social-media linkedin" target="_blank" rel="noopener noreferrer">LinkedIn</a></li> <li class="list-inline-item"><a href="https://www.facebook.com/FCC" class="social-media facebook" target="_blank" rel="noopener noreferrer">Facebook</a></li> <li class="list-inline-item"><a href="https://www.youtube.com/fcc" class="social-media youtube" target="_blank" rel="noopener noreferrer">Youtube</a></li> <li class="list-inline-item"><a href="https://www.instagram.com/fcc" class="social-media instagram" target="_blank" rel="noopener noreferrer">Instagram</a></li> </ul> </div> </div> <div class="fcc-seal"> Federal Communications Commission </div> </div> <!-- Grid row --> </div> </row> </footer> </div> </div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/243972","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"und","themeUrl":"themes\/custom\/fcc"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"data":{"extlink":{"extTarget":false,"extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":true,"extFollowNoOverride":false,"extClass":"0","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(fccdotgov\\.uservoice\\.com)|(translate\\.google\\.com)|(\\.gov|\\.mil|\\.fed)|(us-fcc\\.box\\.com)|(anypoint\\.mulesoft\\.com)|(fccdev\\.servicenowservices\\.com)|(fccsystest\\.servicenowservices\\.com)|(fccuat\\.servicenowservices\\.com)|(fccprod\\.servicenowservices\\.com)|(fccdemo\\.servicenowservices\\.com)|(fcctraining\\.servicenowservices\\.com)|(fccsndbx\\.servicenowservices\\.com)|(fcc\\.maps\\.arcgis\\.com)|(youtube\\.com)","extInclude":"","extCssExclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are about to leave the FCC website and visit a third-party, non-governmental website that the FCC does not maintain or control. The FCC does not endorse any statement, product, or service on the page you are about to visit, and is not responsible for, nor can it guarantee the validity or timeliness of the content on, that page. Any advocacy contained on any third-party webpage is solely that of the third party and is not endorsed by the FCC. Additionally, the privacy policies of any third-party website may differ from those of the FCC.","mailtoClass":"0","mailtoLabel":"(link sends email)","extUseFontAwesome":false,"extIconPlacement":"before","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","whitelistedDomains":[]}},"ajaxTrustedUrl":{"form_action_p_pvdeGsVG5zNF_XLGPTvYSKCf43t8qZYSwcfZl2uzM":true},"user":{"uid":0,"permissionsHash":"6afa76650fafd94b2a06045e59ef22a7e454d92510d8ff759ad065a81a89c67b"}}</script> <script src="/sites/default/files/js/js_JaixITCYBCl3s486WyawMUBOIMd0MGdMmMGQ9adm1is.js?scope=footer&amp;delta=0&amp;language=und&amp;theme=fcc&amp;include=eJx9jksOxSAIRTdkdEkNClbzLDZCP-7-NcZBR52Qc-4lBEDUCtwdTLCxVVYTnwEXSd3IvdjKuX51VlLejHRR2pwHIdMA8-1EeyETQ3hRIkBqJXsZGlIVYkO3lsw_h-3Yodip8wzD6aGN9UMulMUDM41g0UTPPzus9Ad0YFIc"></script> <script src="https://static.addtoany.com/menu/page.js" async></script> <script src="/sites/default/files/js/js_nrshwWY0AUnxOguFPQGdW54HmAZ9SC3JDPHz2_NegvU.js?scope=footer&amp;delta=2&amp;language=und&amp;theme=fcc&amp;include=eJx9jksOxSAIRTdkdEkNClbzLDZCP-7-NcZBR52Qc-4lBEDUCtwdTLCxVVYTnwEXSd3IvdjKuX51VlLejHRR2pwHIdMA8-1EeyETQ3hRIkBqJXsZGlIVYkO3lsw_h-3Yodip8wzD6aGN9UMulMUDM41g0UTPPzus9Ad0YFIc"></script> <script type="text/javascript">!function(){var b=function(){window.__AudioEyeSiteHash = "628124f7e2615040a831b5fb079ee105"; var a=document.createElement("script");a.src="https://wsmcdn.audioeye.com/aem.js";a.type="text/javascript";a.setAttribute("async","");document.getElementsByTagName("body")[0].appendChild(a)};"complete"!==document.readyState?window.addEventListener?window.addEventListener("load",b):window.attachEvent&&window.attachEvent("onload",b):b()}();</script> </body> </html>