Vulnerability Disclosure Policy | U.S. Department of the Interior

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8" /> <script async src="https://www.googletagmanager.com/gtag/js?id=G-44JE7ECGDQ"></script> <script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "G-44JE7ECGDQ", {"groups":"default","page_placeholder":"PLACEHOLDER_page_location","link_attribution":true,"allow_ad_personalization_signals":false});gtag('config', 'G-44JE7ECGDQ', {forceSSL: true});</script> <meta name="description" content="Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. " /> <link rel="canonical" href="https://www.doi.gov/vulnerability-disclosure-policy" /> <meta name="robots" content="index, follow" /> <link rel="shortlink" href="https://www.doi.gov/node/36164" /> <meta property="og:site_name" content="U.S. Department of the Interior" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.doi.gov/vulnerability-disclosure-policy" /> <meta property="og:title" content="Vulnerability Disclosure Policy | U.S. Department of the Interior" /> <meta property="og:description" content="Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. " /> <meta name="dcterms.title" content="Vulnerability Disclosure Policy | U.S. Department of the Interior" /> <meta name="dcterms.description" content="Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. " /> <meta name="dcterms.date" content="2020-11-12" /> <meta name="dcterms.type" content="Site page" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@Interior" /> <meta name="twitter:creator" content="@Interior" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="application/ld+json">{ "@context": "https://schema.org", "@graph": [ { "isAccessibleForFree": "True" }, { "@type": "WebPage", "description": "Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. ", "isAccessibleForFree": "True" }, { "@type": "WebSite", "name": "U.S. Department of the Interior", "url": "https://www.doi.gov/", "publisher": { "@type": "Organization", "name": "U.S. Department of the Interior" } } ] }</script> <link rel="icon" href="/themes/custom/doi_uswds/favicon.ico" type="image/vnd.microsoft.icon" /> <script id="_fed_an_ua_tag" src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DOI" type="text/javascript">aa </script> <title>Vulnerability Disclosure Policy | U.S. Department of the Interior</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_YhivHS3wQkfO4Q5ne0WwxsfOKvYtwDOQBx4qnlLWs_c.css?delta=0&language=en&theme=doi_uswds&include=eJxVjUEOwjAMBD-U4CdFju3QqGmMsq4qfg_igEBzmTkNngg7qDIsqfdy4lIQAxZIspv28FVYxJd2n_S1W1s-w6amzcajnWMaQD-e63DZc_N1JOV4U4ehiE76z88XLp0HYeNl-ep6t3gBoOc82A" /> <link rel="stylesheet" media="all" href="//cdn.datatables.net/1.10.24/css/jquery.dataTables.min.css" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_1aBaSlXh-oTHwf6wuLAhomWhxvQcqm-QC3ztA4pVgcE.css?delta=2&language=en&theme=doi_uswds&include=eJxVjUEOwjAMBD-U4CdFju3QqGmMsq4qfg_igEBzmTkNngg7qDIsqfdy4lIQAxZIspv28FVYxJd2n_S1W1s-w6amzcajnWMaQD-e63DZc_N1JOV4U4ehiE76z88XLp0HYeNl-ep6t3gBoOc82A" /> </head> <body class="path-node page-node-type-site-page"> <a href="#main-content" class="usa-sr-only focusable"> Skip to main content </a> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <section class="usa-banner" aria-label="Official website of the United States government"> <div class="usa-banner"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" aria-hidden="true" src="/themes/custom/doi_uswds/assets/img/us_flag_small.png" alt=""> </div> <div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here's how you know</p> </div> <button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here's how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner" hidden=""> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/doi_uswds/assets/img/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/themes/custom/doi_uswds/assets/img/icon-https.svg" alt="Https"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> ( <span class="icon-lock"> <svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description" focusable="false"> <title id="banner-lock-title">Lock</title> <desc id="banner-lock-description">Locked padlock</desc> <path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/> </svg> </span> ) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </div> </section> <div class="usa-overlay"></div> <div class="usa-header-top"> <div class="grid-container grid-row"> <div class="usa-region usa-region--header_top grid-row"> <ul class="usa-nav__secondary-links"> <li class="usa-nav__secondary-item"> <a href="/news/newsroom" class="link" data-drupal-link-system-path="node/36958">Newsroom</a> </li> <li class="usa-nav__secondary-item"> <a href="https://vote.gov/" class="link">Vote.gov</a> </li> </ul> <nav role="navigation" aria-label="Accessibility Menu"> <div class="accessibility"> <button class="accessibility-toggle" aria-label="Open accessibility menu"><span>Accessibility Menu</span></button> <ul class="accessibility-menu"> <li class="accessibility-menu__item"> <span class="font-size-toggle nolink" title="Toggle Font Size">Toggle Font Size</span> </li> <li class="accessibility-menu__item"> <span class="opendyslexic-toggle nolink" title="Toggle OpenDyslexic">Toggle OpenDyslexic</span> </li> <li class="accessibility-menu__item"> <span class="dyslexia-color-scheme-toggle nolink" title="Toggle Dyslexia-friendly black-on-creme color scheme">Toggle Dyslexia-friendly black-on-creme color scheme</span> </li> <li class="accessibility-menu__item"> <a href="/contact-us" class="contact-us-header-link link" title="Contact Us" data-drupal-link-system-path="node/22532">Contact Us</a> </li> </ul> </div> </nav> </div> <div class="usa-social-links grid-row grid-gap-2"> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--instagram" href="https://www.instagram.com/usinterior/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/instagram-white.svg" alt="Instagram"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--facebook" href="https://www.facebook.com/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/facebook-white.svg" alt="Facebook"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--tumblr" href="https://americasgreatoutdoors.tumblr.com/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/tumblr-white.svg" alt="Tumblr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--flickr" href="https://www.flickr.com/photos/usinterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/flickr-white.svg" alt="Flickr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--youtube" href="https://www.youtube.com/user/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/youtube-white.svg" alt="YouTube"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--twitter" href="https://twitter.com/interior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/twitter-white.svg" alt="X (formerly Twitter)"> </a> </div> </div> </div> </div> <header class="usa-header usa-header--basic usa-header--basic-megamenu" id="header" role="banner"> <div class="usa-nav-container"> <div class="usa-region usa-region--header region region-header usa-navbar"> <div class="usa-logo site-logo" id="logo"> <em class="usa-logo__text grid-row"> <a class="logo-img" href="/" accesskey="1" title="Home" aria-label="Home"> <img src="/themes/custom/doi_uswds/logo.png" alt="Home" /> </a> <div class="site-name grid-col-fill"> <a href="/" accesskey="2" title="U.S. Department of the Interior" aria-label="U.S. Department of the Interior"> U.S. Department of the Interior </a> </div> </em> </div> <button class="usa-menu-btn" type="button">Menu</button> </div> <nav class="usa-nav" role="navigation"> <button type="button" class="usa-nav__close"> <img src="/themes/custom/doi_uswds/assets/img/usa-icons/close-white.svg" alt="close"/> </button> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item"> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-mega-nav-section-1"> <span>About</span> </button> <div id="extended-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-4"> <div class="desktop:grid-col-12"> <div class="usa-nav__submenu-item"> <h3><a href="/about" class="link" data-drupal-link-system-path="node/22300">About</a></h3> </div> </div> </div> <div class="usa-nav__submenu-grid grid-gap-4 grid-row"> <div class="usa-nav__submenu-grid--col usa-col"> <div class="usa-nav__submenu-item"> <a href="/about" class="link" data-drupal-link-system-path="node/22300"> <span class="usa-nav__submenu-heading">Interior</span> </a> </div> <ul id="basic-nav-section-1" class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item"> <a href="/secretary-deb-haaland" class="link" data-drupal-link-system-path="node/37000"> <span>Meet the Secretary</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/interior-leadership" class="link" data-drupal-link-system-path="node/55036"> <span>Interior Leadership</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/bureaus/offices" class="link" data-drupal-link-system-path="node/10828"> <span>Departmental Offices</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/about/history" class="link" data-drupal-link-system-path="node/11124"> <span>History of the Interior</span> </a> </li> </ul> </div> <div class="usa-nav__submenu-grid--col usa-col"> <div class="usa-nav__submenu-item"> <a href="/joinus" class="link" data-drupal-link-system-path="node/16902"> <span class="usa-nav__submenu-heading">Join</span> </a> </div> <ul id="basic-nav-section-2" class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item"> <a href="/careers" class="link" data-drupal-link-system-path="node/17867"> <span>Careers</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/pathways" class="link" data-drupal-link-system-path="node/5393"> <span>Pathways Program</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/veterans" class="link" data-drupal-link-system-path="node/21149"> <span>Veterans Employment</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/volunteer" class="link" data-drupal-link-system-path="node/11044"> <span>Volunteer</span> </a> </li> </ul> </div> </div> </li> <li class="usa-nav__primary-item"> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-mega-nav-section-2"> <span>Bureaus</span> </button> <div id="extended-mega-nav-section-2" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-4"> <div class="desktop:grid-col-12"> <div class="usa-nav__submenu-item"> <h3><a href="/bureaus" class="link" data-drupal-link-system-path="node/10187">Bureaus</a></h3> </div> </div> </div> <div class="usa-nav__submenu-grid grid-gap-4 grid-row"> <div class="usa-nav__submenu-grid--col usa-col"> <div class="usa-nav__submenu-item"> <span class="nolink"> <span class="usa-nav__submenu-heading">Bureaus</span> </span> </div> <ul id="basic-nav-section-1" class="usa-nav__submenu-list"> <li class="usa-nav__submenu-item"> <a href="https://www.bia.gov/" class="link"> <span>Bureau of Indian Affairs</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.bie.edu/" class="link"> <span>Bureau of Indian Education</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.blm.gov/" class="link"> <span>Bureau of Land Management</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.boem.gov/" class="link"> <span>Bureau of Ocean Energy Management</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.usbr.gov/" class="link"> <span>Bureau of Reclamation</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.bsee.gov/" class="link"> <span>Bureau of Safety & Environmental Enforcement</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="/ost" class="link" data-drupal-link-system-path="node/17228"> <span>Bureau of Trust Funds Administration</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.nps.gov/" class="link"> <span>National Park Service</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.osmre.gov/" class="link"> <span>Office of Surface Mining Reclamation & Enforcement</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.fws.gov/" class="link"> <span>U.S. Fish & Wildlife Service</span> </a> </li> <li class="usa-nav__submenu-item"> <a href="https://www.usgs.gov/" class="link"> <span>U.S. Geological Survey</span> </a> </li> </ul> </div> </div> </li> <li class="usa-nav__primary-item"> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-mega-nav-section-3"> <span>Priorities</span> </button> <div id="extended-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-4"> <div class="desktop:grid-col-12"> <div class="usa-nav__submenu-item"> <h3><a href="/ourpriorities" class="link" data-drupal-link-system-path="node/16903">Priorities</a></h3> </div> </div> </div> <div class="usa-nav__submenu-grid grid-gap-4"> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/priorities/addressing-the-drought-crisis" class="link" data-drupal-link-system-path="node/38054"> <span>Addressing the Drought Crisis</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/advancing-environmental-justice" class="link" data-drupal-link-system-path="node/42351"> <span>Advancing Environmental Justice</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/priorities/america-the-beautiful" class="link" data-drupal-link-system-path="node/37367"> <span>America the Beautiful</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/priorities/clean-energy-future" class="link" data-drupal-link-system-path="node/37448"> <span>Clean Energy Future</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/increasing-outdoor-access" class="link" data-drupal-link-system-path="node/49561"> <span>Increasing Outdoor Access</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/investing-america" class="link" data-drupal-link-system-path="node/55326"> <span>Investing in America</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/priorities/strengthening-indian-country" class="link" data-drupal-link-system-path="node/38459"> <span>Strengthening Indian Country</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/priorities/tackling-climate-crisis" class="link" data-drupal-link-system-path="node/38260"> <span>Tackling the Climate Crisis</span> </a> </div> </div> </div> </li> <li class="usa-nav__primary-item"> <button type="button" class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-mega-nav-section-4"> <span>Media</span> </button> <div id="extended-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="grid-row grid-gap-4"> <div class="desktop:grid-col-12"> <div class="usa-nav__submenu-item"> <h3><a href="/news/newsroom" class="link" data-drupal-link-system-path="node/36958">Media</a></h3> </div> </div> </div> <div class="usa-nav__submenu-grid grid-gap-4"> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/blog" class="link" data-drupal-link-system-path="node/1"> <span>Blog</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/news" class="link" data-drupal-link-system-path="node/36980"> <span>Press Releases</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/news/media-contacts" class="link" data-drupal-link-system-path="node/36957"> <span>Media Contacts</span> </a> </div> </div> <div class="grid-col-12"> <div class="usa-nav__submenu-item"> <a href="/news/multimedia" class="link" data-drupal-link-system-path="node/36960"> <span>Multimedia</span> </a> </div> </div> </div> </li> </ul> <form class="usa-search usa-search--small collapsible" action="//search.usa.gov/search" method="get" id="search-block-form" accept-charset="UTF-8"> <div role="search" class="search"> <input type="hidden" name="affiliate" value="doi.gov"> <input class="usa-input" id="extended-search-field-small" type="text" name="query" /> <button class="usa-button" type="submit"> <img src="/themes/custom/doi_uswds/assets/img/usa-icons-bg/search--white.svg" class="usa-search__submit-icon" alt="Search"> </button> </div> </form> <button class="usa-search__handler" aria-label="Search">Search</button> <div class="mobile-only usa-header-top"> <div class="usa-region usa-region--header_top grid-row"> <ul class="usa-nav__secondary-links"> <li class="usa-nav__secondary-item"> <a href="/news/newsroom" class="link" data-drupal-link-system-path="node/36958">Newsroom</a> </li> <li class="usa-nav__secondary-item"> <a href="https://vote.gov/" class="link">Vote.gov</a> </li> </ul> <nav role="navigation" aria-label="Accessibility Menu"> <div class="accessibility"> <button class="accessibility-toggle" aria-label="Open accessibility menu"><span>Accessibility Menu</span></button> <ul class="accessibility-menu"> <li class="accessibility-menu__item"> <span class="font-size-toggle nolink" title="Toggle Font Size">Toggle Font Size</span> </li> <li class="accessibility-menu__item"> <span class="opendyslexic-toggle nolink" title="Toggle OpenDyslexic">Toggle OpenDyslexic</span> </li> <li class="accessibility-menu__item"> <span class="dyslexia-color-scheme-toggle nolink" title="Toggle Dyslexia-friendly black-on-creme color scheme">Toggle Dyslexia-friendly black-on-creme color scheme</span> </li> <li class="accessibility-menu__item"> <a href="/contact-us" class="contact-us-header-link link" title="Contact Us" data-drupal-link-system-path="node/22532">Contact Us</a> </li> </ul> </div> </nav> </div> <div class="usa-social-links grid-row grid-gap-2"> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--instagram" href="https://www.instagram.com/usinterior/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/instagram-white.svg" alt="Instagram"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--facebook" href="https://www.facebook.com/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/facebook-white.svg" alt="Facebook"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--tumblr" href="https://americasgreatoutdoors.tumblr.com/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/tumblr-white.svg" alt="Tumblr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--flickr" href="https://www.flickr.com/photos/usinterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/flickr-white.svg" alt="Flickr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--youtube" href="https://www.youtube.com/user/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/youtube-white.svg" alt="YouTube"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--twitter" href="https://twitter.com/interior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/twitter-white.svg" alt="X (formerly Twitter)"> </a> </div> </div> </div> </nav> </div> </header> <div class="grid-container"> <div class="usa-region usa-region--breadcrumb grid-row"> <div id="block-doi-uswds-breadcrumbs" class="block block-system block-system-breadcrumb-block"> <nav class="usa-breadcrumb" role="navigation" aria-labelledby="system-breadcrumb"> <h2 id="system-breadcrumb" class="usa-sr-only">Breadcrumb</h2> <ol class="usa-breadcrumb__list"> <li class="usa-breadcrumb__list-item"> <a href="/" class="usa-breadcrumb__link"><span>Home</span></a> </li> <li class="usa-breadcrumb__list-item"> <span>Vulnerability Disclosure Policy</span> </li> </ol> </nav> </div> </div> <div data-drupal-messages-fallback class="hidden"></div> <div class="usa-region usa-region--content_top"> </div> </div> <main id="" role="main" class="main_content usa-section"> <div class="grid-container"> <div class="grid-row grid-gap page-content-wrapper"> <div class="usa-layout-docs__main desktop:grid-col-fill"> <div id="block-doi-uswds-socialsharelinks" class="block block-doi-social block-doi-social-share-block"> <div class="doi-social-share"> <a href="#" class="share-trigger">Share</a> <div class="share-links"> <ul><li><a href="https://www.facebook.com/sharer/sharer.php?u=https%3A//www.doi.gov/vulnerability-disclosure-policy" class="doi-share-link facebook" title="Share on Facebook" data-label="Facebook">Facebook</a></li><li><a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3A//www.doi.gov/vulnerability-disclosure-policy&title=Vulnerability%20Disclosure%20Policy" class="doi-share-link linkedin" title="Share on LinkedIn" data-label="LinkedIn">LinkedIn</a></li><li><a href="https://reddit.com/submit?url=https%3A//www.doi.gov/vulnerability-disclosure-policy&title=Vulnerability%20Disclosure%20Policy" class="doi-share-link reddit" title="Share on Reddit" data-label="Reddit">Reddit</a></li><li><a href="https://pinterest.com/pin/create/button/?url=https%3A//www.doi.gov/vulnerability-disclosure-policy&title=Vulnerability%20Disclosure%20Policy" class="doi-share-link pinterest" title="Share on Pinterest" data-label="Pinterest">Pinterest</a></li><li><a href="https://twitter.com/intent/tweet?via=interior&url=https%3A//www.doi.gov/vulnerability-disclosure-policy&text=Vulnerability%20Disclosure%20Policy" class="doi-share-link twitter" title="Share on X (formerly Twitter)" data-label="X (formerly Twitter)">X (formerly Twitter)</a></li></ul> </div> </div> </div> <h1 class="margin-0 page-title"> <span>Vulnerability Disclosure Policy</span> </h1> <div id="block-doi-uswds-content" class="block block-system block-system-main-block"> <article class="node__content node__content__full node node--type-site-page node--view-mode-full"> <div class="field field--name-field-lead-in field--type-text-long field--label-hidden field__item"><p><strong><a href="https://bugcrowd.com/doi-vdp">Report any vulnerabilities to DOI systems</a> </strong></p> </div> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Introduction</h3> <div>The Department of the Interior (DOI) is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. </div> <div> </div> <div>This policy describes <strong>what systems and types of research</strong> are covered under this policy, <strong>how to send us</strong> vulnerability reports, and <strong>how long</strong> we ask security researchers to wait before publicly disclosing vulnerabilities.</div> <div> </div> <div>We encourage you to contact us to report potential vulnerabilities in our systems.</div> <h3>Authorization </h3> <div><strong>If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and DOI will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.</strong></div> <h3>Guidelines</h3> <div>Under this policy, “research” means activities in which you:</div> <ul> <li>Notify us as soon as possible after you discover a real or potential security issue.</li> <li>Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.</li> <li>Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems. </li> <li>Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.</li> <li>Do not submit a high volume of low-quality reports.</li> </ul> <div>Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), <strong>you must stop your test, notify us immediately, and not disclose this data to anyone else.</strong></div> <h3>Test methods</h3> <div>The following test methods are not authorized:</div> <ul> <li>Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data</li> <li>Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing</li> <li>Full red-team penetration testing that involves unauthorized access to our servers</li> </ul> <h3>Scope </h3> <div>This policy applies to the following systems and services:</div> <ul> <li>*.doi.gov</li> </ul> <div><strong>Any service not expressly listed above, such as any connected services, are excluded from scope </strong>and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their Disclosure Policy (if any). If you aren’t sure whether a system is in scope or not, contact us at <a href="mailto:security@doi.gov?subject=Reporting%20a%20DOI%20Vulnerability">security@doi.gov</a> before starting your research (or at the security contact for the system’s domain name listed in the <a href="https://domains.dotgov.gov/dotgov-web/registration/whois.xhtml">.gov WHOIS</a>). </div> <div> </div> <div>Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time. </div> <h3>Reporting a vulnerability</h3> <div><em>Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely DOI, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their <a href="https://www.cisa.gov/coordinated-vulnerability-disclosure-process">coordinated vulnerability disclosure process</a>. We will not share your name or contact information without express permission.</em></div> <div> </div> <div><strong><a href="https://bugcrowd.com/doi-vdp">Vulnerability reports </a>can be submitted through<a href="https://bugcrowd.com/doi-vdp"> bugcrowd</a>.</strong> Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.</div> <div> </div> <div>What we would like to see from you</div> <div>In order to help us triage and prioritize submissions, we recommend that your reports:</div> <ul> <li>Describe the location the vulnerability was discovered and the potential impact of exploitation. </li> <li>Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).</li> <li>Be in English, if possible.</li> </ul> <h4>What you can expect from us</h4> <div>When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.</div> <ul> <li>Within 3 business days, we will acknowledge that your report has been received. </li> <li>To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. </li> <li>DOI does not provide payment to reporters for submitting vulnerabilities. <ul> <li>Reporters submitting vulnerabilities to DOI, in so doing, waive any claims to compensation. </li> </ul> </li> </ul> <h3>Questions</h3> <div>Questions regarding this policy may be sent to <a href="mailto:security@doi.gov?subject=Report%20DOI%20Vulnerability">security@doi.gov</a>. We also invite you to contact us with suggestions for improving this policy.</div> <div> </div> <div> <table border="1" cellpadding="0" cellspacing="0" summary="Vulnerability Disclosure Policy "> <caption><strong>Document Change History</strong></caption> <tbody> <tr> <td><strong>Version</strong></td> <td><strong>Date</strong></td> <td> <p><strong>Description</strong></p> </td> </tr> <tr> <td>1.0</td> <td>2/8/2021</td> <td> <p>First Issuance</p> </td> </tr> <tr> <td>1.2</td> <td>3/1/2021</td> <td>Addition of Form</td> </tr> <tr> <td>1.3</td> <td>11/4/2021</td> <td>BugCrowd URL</td> </tr> </tbody> </table> <p> </p> </div> </div> </article> </div> <div class="helpfulness-block-form block block-helpfulness block-helpfulness-block" data-drupal-selector="helpfulness-block-form" id="block-helpfulnessblock"> <h2>Was this page helpful?</h2> <form region="content" action="/vulnerability-disclosure-policy" method="post" id="helpfulness-block-form" accept-charset="UTF-8" class="usa-form"> <div id="edit-helpfulness-rating"><div class="form-item js-form-item form-type-radio js-form-type-radio form-item-helpfulness-rating js-form-item-helpfulness-rating radio"> <input data-drupal-selector="edit-helpfulness-rating-1" type="radio" id="edit-helpfulness-rating-1" name="helpfulness_rating" value="1" class="form-radio usa-radio__input" /> <label for="edit-helpfulness-rating-1" class="usa-radio__label control-label option">Yes</label> </div> <div class="form-item js-form-item form-type-radio js-form-type-radio form-item-helpfulness-rating js-form-item-helpfulness-rating radio"> <input data-drupal-selector="edit-helpfulness-rating-0" type="radio" id="edit-helpfulness-rating-0" name="helpfulness_rating" value="0" class="form-radio usa-radio__input" /> <label for="edit-helpfulness-rating-0" class="usa-radio__label control-label option">No</label> </div> </div> <div class="form-item js-form-item form-type-textarea js-form-type-textarea form-item-helpfulness-comments-no js-form-item-helpfulness-comments-no"> <label for="edit-helpfulness-comments-no" class="usa-label control-label"><div class="helpfulness_no_title"><p>This page was not helpful because the content:</p></div></label> <div class="form-textarea-wrapper"> <textarea data-drupal-selector="edit-helpfulness-comments-no" aria-describedby="edit-helpfulness-comments-no--description" id="edit-helpfulness-comments-no" name="helpfulness_comments_no" rows="5" cols="60" class="form-textarea usa-textarea resize-vertical"></textarea> </div> <div id="edit-helpfulness-comments-no--description" class="description help-block"> <div class="helpfulness_no_description"><p>Please provide a comment</p></div> </div> </div> <input data-drupal-selector="form-w8nsyky5lq0hkavqnrhjfrgswtjh0d-a4p7bgea3ku0" type="hidden" name="form_build_id" value="form-W8nsYKY5Lq0hkavQNrHJFRgSWtjH0D-a4p7BgeA3Ku0" class="usa-input" /> <input data-drupal-selector="edit-helpfulness-block-form" type="hidden" name="form_id" value="helpfulness_block_form" class="usa-input" /> <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <input data-drupal-selector="edit-submit" type="submit" id="edit-submit" name="op" value="Submit" class="button button--primary js-form-submit form-submit usa-button" /> </div> <div class="homepage-textfield js-form-wrapper form-wrapper" style="display: none !important;"><div class="form-item js-form-item form-type-textfield js-form-type-textfield form-item-homepage js-form-item-homepage"> <label for="edit-homepage" class="usa-label control-label">Leave this field blank</label> <input autocomplete="off" data-drupal-selector="edit-homepage" type="text" id="edit-homepage" name="homepage" value="" size="20" maxlength="128" class="form-text usa-input" /> </div> </div> </form> </div> </div> </div> </div> </main> <footer class="usa-footer usa-footer--big" role="contentinfo"> <div class="grid-container usa-footer__return-to-top"> <a href="#">Return to top</a> </div> <div class="usa-footer__primary-section"> <div class="usa-footer__primary-content"> <div class="grid-container"> <div class="grid-row grid-gap"> </div> </div> <div class="grid-container"> <div class="usa-region usa-region--footer grid-row grid-gap-4"> <div class="doi-core-email-signup-form block block-doi-core block-email-signup-block" data-drupal-selector="doi-core-email-signup-form" id="block-doi-uswds-emailsignupblock"> <h2>Subscribe</h2> <form region="footer" action="/vulnerability-disclosure-policy" method="post" id="doi-core-email-signup-form" accept-charset="UTF-8" class="usa-form"> <div class="form-item js-form-item form-type-email js-form-type-email form-item-email js-form-item-email"> <label for="edit-email" class="usa-label control-label">Enter your email address to subscribe to Interior news and updates</label> <input data-drupal-selector="edit-email" type="email" id="edit-email" name="email" value="" size="60" maxlength="128" class="form-email usa-input" /> </div> <input data-drupal-selector="edit-submit" type="submit" id="edit-submit" name="op" value="Sign Up" class="button js-form-submit form-submit usa-button" /> <input data-drupal-selector="form-izewhr9nm4cjl-f2mgtkdj-m1scu05klrerurkhqy74" type="hidden" name="form_build_id" value="form-IZEwhR9nM4cjl_f2MgTKDJ-M1SCU05kLRERUrkhqY74" class="usa-input" /> <input data-drupal-selector="edit-doi-core-email-signup-form" type="hidden" name="form_id" value="doi_core_email_signup_form" class="usa-input" /> <div class="homepage-textfield js-form-wrapper form-wrapper" style="display: none !important;"><div class="form-item js-form-item form-type-textfield js-form-type-textfield form-item-homepage js-form-item-homepage"> <label for="edit-homepage" class="usa-label control-label">Leave this field blank</label> <input autocomplete="off" data-drupal-selector="edit-homepage" type="text" id="edit-homepage" name="homepage" value="" size="20" maxlength="128" class="form-text usa-input" /> </div> </div> </form> </div> <nav role="navigation" aria-labelledby="block-footertertiarymenu-menu" id="block-footertertiarymenu"> <h2 class="usa-sr-only" id="block-footertertiarymenu-menu">Section Title</h2> <ul region="footer" class="menu menu--footer-tertiary-menu nav"> <li class="first"> <a href="/about" class="first" data-drupal-link-system-path="node/22300">About DOI</a> </li> <li> <a href="/accessibility" data-drupal-link-system-path="node/11134">Accessibility</a> </li> <li> <a href="/contact-us" data-drupal-link-system-path="node/22532">Contact Us</a> </li> <li> <a href="/copyright" data-drupal-link-system-path="node/11138">Copyright</a> </li> <li> <a href="/disclaimer" data-drupal-link-system-path="node/11135">Disclaimer</a> </li> <li> <a href="/ocio/policy-mgmt-support/information-and-records-management/iq" data-drupal-link-system-path="node/11264">Information Quality</a> </li> <li> <a href="/privacy" data-drupal-link-system-path="node/11136">Privacy Policy</a> </li> <li> <a href="/sitemap" data-drupal-link-system-path="node/16469">Site Map</a> </li> <li class="active active-trail last"> <a href="/vulnerability-disclosure-policy" class="active active-trail last active-trail is-active" data-drupal-link-system-path="node/36164" aria-current="page">Vulnerability Disclosure Policy</a> </li> </ul> </nav> <nav role="navigation" aria-labelledby="block-footersecondarymenu-menu" id="block-footersecondarymenu"> <h2 class="usa-sr-only" id="block-footersecondarymenu-menu">Section Title</h2> <ul region="footer" class="menu menu--footer-secondary-menu nav"> <li class="first"> <a href="/bpp" class="first" data-drupal-link-system-path="node/10186">Budget & Performance</a> </li> <li> <a href="/coronavirus" data-drupal-link-system-path="node/36897">Coronavirus Updates</a> </li> <li> <a href="/cummings-act-notices" data-drupal-link-system-path="node/37791">Cummings Act Notices</a> </li> <li> <a href="/pmb/eeo" data-drupal-link-system-path="node/5423">Diversity, Inclusion & Civil Rights</a> </li> <li> <a href="/foia" data-drupal-link-system-path="node/5413">FOIA</a> </li> <li> <a href="https://www.doioig.gov/">Inspector General</a> </li> <li class="last"> <a href="/pmb/eeo/reports-repository" class="last" data-drupal-link-system-path="node/23259">No Fear Act reports</a> </li> </ul> </nav> </div> </div> </div> </div> <div class="usa-footer__secondary-section"> <div class="grid-container"> <div class="grid-row grid-gap"> <div class="usa-footer__logo grid-row mobile-lg:grid-col-7 mobile-lg:grid-gap-2"> <div class="mobile-lg:grid-col-auto"> <a href="https://www.doi.gov"> <img class="usa-footer__logo-img" src="/themes/custom/doi_uswds/logo.png" alt="Agency logo"> </a> </div> <div class="mobile-lg:grid-col-auto"> <h3 class="usa-footer__logo-heading">U.S. Department of the Interior</h3> <span class="slogan">Stewarding Conservation and Powering Our Future</span> </div> </div> <div class="usa-footer__contact-links desktop:grid-col-fill"> <div class="usa-social-links grid-row grid-gap-2"> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--instagram" href="https://www.instagram.com/usinterior/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/instagram-white.svg" alt="Instagram"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--facebook" href="https://www.facebook.com/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/facebook-white.svg" alt="Facebook"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--tumblr" href="https://americasgreatoutdoors.tumblr.com/"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/tumblr-white.svg" alt="Tumblr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--flickr" href="https://www.flickr.com/photos/usinterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/flickr-white.svg" alt="Flickr"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--youtube" href="https://www.youtube.com/user/USInterior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/youtube-white.svg" alt="YouTube"> </a> </div> <div class="grid-col-auto"> <a class="usa-social-link usa-social-link--twitter" href="https://twitter.com/interior"> <img class="usa-social-link__icon" src="/themes/custom/doi_uswds/assets/img/usa-icons/twitter-white.svg" alt="X (formerly Twitter)"> </a> </div> </div> <address class="usa-footer__address"> <div class="usa-footer__contact-info grid-row grid-gap"> <div class="grid-col-12"> <p>1849 C Street NW, Washington, DC 20240</p> </div> </div> </address> </div> </div> </div> </div> </footer> </div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/36164","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"google_analytics":{"account":"G-44JE7ECGDQ","trackOutbound":true,"trackDownload":true,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip"},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":0,"openTabsWithHash":0}},"ajaxTrustedUrl":{"form_action_p_pvdeGsVG5zNF_XLGPTvYSKCf43t8qZYSwcfZl2uzM":true},"user":{"uid":0,"permissionsHash":"ded9142bff15e24421cf1a0aaf6ebfcaaca1cff9286e407f50a1bade9441939f"}}</script> <script src="/sites/default/files/js/js_zFWQgqD6rUdgI1DhyvKWfndhWETzb5exn3a3zDrLhZs.js?scope=footer&delta=0&language=en&theme=doi_uswds&include=eJx9jUEOgzAMBD-UkCdFxjZgYWIUm6L-vhUH6Knay-xqpCWTCg30HYJeyCTfbXAJlm3v9uJEf7zZbFZ-hks-_CQv4M7hCVcmCesVEK2TWCs3DVO3FtwoLaz7dGhj9_LDeVTDNU_Wt0QQ34zKXpFaeer16YYCWnyBzvkUmjk-1uBYDA"></script> <script src="/modules/custom/doi_analytics/assets/js/doi-siteimprove.js?v=1.x"></script> <script src="https://cdn.jsdelivr.net/npm/js-cookie@3.0.5/dist/js.cookie.min.js"></script> <script src="/sites/default/files/js/js_qhcWitt1u21rhwE388qrRGFdSM3DXkXqzs5adOx-rqY.js?scope=footer&delta=3&language=en&theme=doi_uswds&include=eJx9jUEOgzAMBD-UkCdFxjZgYWIUm6L-vhUH6Knay-xqpCWTCg30HYJeyCTfbXAJlm3v9uJEf7zZbFZ-hks-_CQv4M7hCVcmCesVEK2TWCs3DVO3FtwoLaz7dGhj9_LDeVTDNU_Wt0QQ34zKXpFaeer16YYCWnyBzvkUmjk-1uBYDA"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?slxg1z"></script> <script src="/sites/default/files/js/js_mfH6jyX1k_H9Ytpa_RgOCnQOxIejEtP97AC1krHoDZI.js?scope=footer&delta=5&language=en&theme=doi_uswds&include=eJx9jUEOgzAMBD-UkCdFxjZgYWIUm6L-vhUH6Knay-xqpCWTCg30HYJeyCTfbXAJlm3v9uJEf7zZbFZ-hks-_CQv4M7hCVcmCesVEK2TWCs3DVO3FtwoLaz7dGhj9_LDeVTDNU_Wt0QQ34zKXpFaeer16YYCWnyBzvkUmjk-1uBYDA"></script> <script src="//cdn.datatables.net/1.10.24/js/jquery.dataTables.min.js"></script> <script src="/sites/default/files/js/js_qaoyEPjWAL0tplCGmKG0oYHbjVN6WHkXKQC-cqn9iRY.js?scope=footer&delta=7&language=en&theme=doi_uswds&include=eJx9jUEOgzAMBD-UkCdFxjZgYWIUm6L-vhUH6Knay-xqpCWTCg30HYJeyCTfbXAJlm3v9uJEf7zZbFZ-hks-_CQv4M7hCVcmCesVEK2TWCs3DVO3FtwoLaz7dGhj9_LDeVTDNU_Wt0QQ34zKXpFaeer16YYCWnyBzvkUmjk-1uBYDA"></script> </body> </html>

CINXE.COM

Vulnerability Disclosure Policy | U.S. Department of the Interior