Vulnerability Disclosure Policy

CIGIE

Feb 22, 2021

Introduction

This policy addresses the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (VDP). BOD 20-01 requires each federal agency to publish a VDP. Publication of agency VDPs will make it easier for users to report vulnerabilities they find in the Federal Government’s internet-accessible systems

CIGIE is committed to ensuring the security of the American public by protecting their information. This policy aims to give security researchers clear guidelines for conducting vulnerability discovery activities and convey our requirements in submitting discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before disclosing vulnerabilities.

We encourage you to contact us to report vulnerabilities in our systems.

Authorization

If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to quickly understand and resolve the issue, and CIGIE will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities conducted according to this policy, we will make this authorization known.

Guidelines

1. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data or information to anyone else.
2. Avoid privacy violations, degradation of user experience, damage or disruption to CIGIE production systems, and destruction or manipulation of data;
3. Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.
4. View CIGIE data only to the extent necessary to document the presence of a potential vulnerability.
5. Provide CIGIE 90 calendar days after you have received our acknowledgement of receipt of your report before you share information about discovered vulnerabilities to the public.
6. Do not submit low-quality reports or false positives.

Test methods

You can conduct your security research activities as long as they do not conflict with the following unauthorized activities:

1. Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage system(s) or data;
2. Physical testing of facilities or resources (e.g., office access, open doors, tailgating);
3. Any non-technical vulnerability testing;
4. Social engineering (e.g., phishing, vishing, pretexting, baiting, and others);
5. Test any system other than the systems outlined in the ‘Scope’ section below;
6. Disclose vulnerability information except as outlined in the ‘Reporting a Vulnerability’ section below;
7. Any unsolicited electronic emails or email-based attacks on CIGIE users;
8. Inject malicious software or conduct privilege escalation;
9. Test third-party applications, websites, or services that integrate with or link to or from CIGIE systems;
10. Delete, alter, share, retain, or destroy CIGIE data;
11. Use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on CIGIE systems, or launch attacks against other CIGIE systems.

Scope

This policy applies to the following systems and services:

1. *.cigie.gov
2. *.ignet.gov
3. *.oversight.gov
4. *.pandemicoversight.gov

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Reporting a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely CIGIE, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports via . For anonymous or sensitive information submissions, use our VDP HTTPS web form. By submitting a vulnerability report, you acknowledge that you do not expect a payment, and you expressly waive any future pay claims against the U.S. Government related to your submission.

What we would like to see from you

We require that your reports comply with the following:

1. Adhere to all legal terms and conditions outlined in this policy.
2. Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
3. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
4. Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

1. Within five business days, we will acknowledge that your report has been received.
2. To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
3. We will maintain an open dialogue to discuss the reported issue(s).

Questions

Any questions regarding this policy may be sent to

Document change history