Scope and ROE – Department Of Commerce Responsible Disclosure powered by Synack

Rules of Engagement

No Denial of Service testing
No Physical or Social Engineering
No testing of Third-party Services
No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
All attack payload data must use professional language
If able to gain access to a system, accounts, users, or user data, stop at the point of recognition and report. Do not dive deeper to determine how much more is accessible.
When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn't identify the client.