Please review the Department of Commerce Vulnerability Disclosure Policy.
Powered by Synack
Responsible Disclosure Policy
ResponsibleDisclosure.com (operated by an independent third party, Synack, on behalf of the Department of Commerce).This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.
The details within your request form will be submitted to Synack. If you have reported an issue determined to be within program scope and to be a valid security issue, Synack will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by Synack through their platform, accordingly you must accept the Synack terms of service if you wish to proceed. All queries are to be directed to Synack and managed exclusively through the ResponsibleDisclosure.com online portal.
For a full overview and listing of the DOC VDP program scope, please visit the DOC Vulnerability Disclosure Policy | U.S. Department of Commerce page. For inquiries on scope or the Department of Commerce’s Vulnerability Disclosure Policy, please contact DOC@responsibledisclosure.com .
Responsible Disclosure Guidelines
Researchers must follow the testing guidelines outlined in the DOC VDP, as well as the guidelines below (excerpted from the Synack ROE page and not covered by the DOC VDP):- Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.com
- Work directly with ResponsibleDisclosure.com on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request compensation for time and materials or vulnerabilities discovered
- No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
- All attack payload data must use professional language
- When documenting a vulnerability, if a vulnerability is public, take measures to ensure it does not identify the Department of Commerce.
- The use of automated scanners (OWASP ZAP, Qualys, Nessus, etc.) is strictly prohibited.