Introduction The United States (U.S.) Department of Commerce (DOC) manages data critical to creating conditions for U.S. economic growth and opportunity. The DOC is committed to ensuring the security of the U.S. public by protecting the public’s information from unwarranted disclosure. As such, the DOC has created a Vulnerability Disclosure Policy (VDP) and Vulnerability Disclosure Program, to give security researchers clear guidelines for conducting vulnerability discovery activities on DOC systems and websites, as well to convey the DOC’s preferences in how to submit discovered vulnerabilities to the DOC. The DOC’s Vulnerability Disclosure Policy describes what systems and types of research are covered under this program, how to submit vulnerability reports, and requirements for public disclosure of submitted vulnerabilities. Authorization Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program. Efforts made in good faith to comply with this policy during all security research will be considered authorized. The DOC will work with the researcher to understand and quickly resolve issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, the DOC will reaffirm this authorization. Applicability and Scope This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized DOC publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on the DOC’s publicly available systems/services within the DOC.gov domains. Specifically, this policy applies to the following systems and services: Commerce.gov vqwt.its.bldrdoc.gov/video-quality.php ncp.nist.gov Any service not expressly listed above, such as any connected services, DOC Bureau sub-domains, or third-party sites or services are excluded from scope and are not authorized for testing. Though the DOC develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this document. We will increase the scope of this policy over time. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing. If there is uncertainty regarding the scope, please contact VulnerabilityDisclosure@doc.gov. Additionally, vulnerabilities found in systems from non-DOC entities are outside of this policy’s scope and should be reported directly to the non-DOC entity according to their disclosure policy. If there is uncertainty regarding the scope of a system, contact VulnerabilityDisclosure@doc.gov. While the DOC Office of the Chief Information Officer (OCIO) is responsible for the development and maintenance for various internet-accessible systems or services, research and testing should only be conducted on the systems and services covered by the scope of this policy. The scope of this policy is subject to change; please contact the VulnerabilityDisclosure@doc.gov if questions arise regarding systems not currently in scope. Guidelines Under this policy, “research” means activities in which you: Notify the DOC as soon as possible after the discovery of any real or potential security issue(s). Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. Do not submit a high volume of low-quality reports. Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information or proprietary information or trade secrets of any party): ALL tests must be stopped. Notify DOC immediately. Do Not disclose this data to anyone. Reporting a Vulnerability Information submitted under this policy will be used for defensive purposes only. If discovered findings include new vulnerabilities that affect all users of a product or service and not solely the DOC, the DOC may share your report with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled according to their coordinated vulnerability disclosure process. The DOC will not share your name or contact information without express permission. The DOC only accepts vulnerability reports at this form DOC Vulnerability Intake form. Reports may be submitted anonymously. If contact information is shared, the DOC will acknowledge receipt of the information within three (3) business days. When submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and that any future pay claims against the U.S. Government related to the submission have been waived. When contact information is shared, the DOC commits to coordinating with the security researcher in a transparent and timely manner: Within three (3) business days, the DOC will acknowledge that the report has been received. Within (15) business days, the DOC will confirm the existence of the vulnerability and provide further discussion on findings, resolutions and/or issues or challenges that may delay resolution. Policy Vulnerability Reports To report identified vulnerabilities, security researchers must: Submit vulnerability reports to DOC Vulnerability Intake form Describe the location the vulnerability was discovered and the potential impact of exploitation. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots). Submit vulnerability reports, anonymously, if desired. If a security researcher provides DOC with an email address, DOC will acknowledge, via email receipt of submitted reports within three (3) business days. Keep confidential any information about discovered vulnerabilities for up to (90) calendar days after being notified by the DOC. Coordinated Disclosure DOC is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes. At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that security researchers refrain from sharing reports with others, or releasing reports to the public, while patching is occurring. If there is a need to inform others of the submitted report before the patch is available, please coordinate with DOC at VulnerabilityDisclosure@DOC.gov prior to release for assessment. Use of Vulnerability Reports Information submitted under this policy shall be used by the DOC for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and determined to be a valid security issue, the DOC will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued. The details within the Vulnerability Intake form may be submitted to an independent third-party vendor for evaluation and handling Information Sharing Information submitted under this policy may be shared for defensive cybersecurity means: If findings submitted include newly discovered vulnerabilities that affect users of a product or service outside of the DOC, the DOC may share vulnerability reports with DHS CISA, where it will be handled under DHS CISA’s coordinated vulnerability disclosure process. The DOC retains the right to share this information with DHS CISA and other applicable organizations, as needed. Personal information pertinent to the security researcher will not be disclosed or shared without the researcher’s express written permission. Testing Methods The DOC requires that security researchers comply with authorized test methods to access systems within the publicly available DOC.gov domains, and not perform any unauthorized test methods. Unauthorized Testing Methods The following test methods are not authorized by the DOC: Test any systems other than the systems set forth in the ‘Scope’ of this policy. Physical testing of facilities or resources (e.g., office access, open doors, tailgating). Social engineering (e.g., phishing, vishing, spam, and other suspicious email), and any other non-technical vulnerability testing. Network denial of service (DoS or Distributed DoS) or tests that impair access to or damage availability to a system or data. Tests that exhausts bandwidth or are resource intensive. Unidentified malware, viruses, Trojan horses, or worms. Rainbow tables, password cracking, or brute force testing. Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on DOC systems, or “pivot” to other DOC systems. Test third-party applications, websites, or services that integrate with or link to or from DOC systems. Delete, alter, share, retain, or destroy DOC data, or render DOC data inaccessible. Questions Questions or suggestions regarding this policy may be sent to VulnerabilityDisclosure@DOC.gov.