Vulnerability Disclosure Policy
Cybersecurity is a public good that is strongest when the public is given the ability to contribute. When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and address a wider array of concerns. They can also better protect the information they hold on behalf of the American public.
A key component to receiving cybersecurity help from the public is to establish a formal policy that describes the activities people can undertake to find and report vulnerabilities in a legally authorized manner. Such a policy enables us to remediate vulnerabilities before they can be exploited by an adversary – to immense public benefit -- and enhances the resiliency of our online services by encouraging meaningful collaboration. Such a policy also makes it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect.
We are committed to providing a secure environment to safeguard our mission to drive openness, cultivate public participation, and strengthen our nation’s democracy through public access to high-value Government records. We appreciate your help in facilitating that.
NARA EP 2021-01 (March 1, 2021): NARA's Vulnerability Disclosure Policy
1. General
a. NARA is committed to ensuring the security of the American public by protecting their information. This policy gives security researchers guidelines for conducting vulnerability discovery activities and conveys our preferences on how to submit discovered vulnerabilities to us.
b. This policy describes the systems and types of research covered by this policy, how to send NARA vulnerability reports, and how long NARA asks security researchers to wait before publicly disclosing vulnerabilities.
c. We encourage you to contact us to report potential vulnerabilities in our systems.
2. Authorization
If you make a good faith effort to comply with this policy during your security research, NARA will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
3. Guidelines
a. Under this policy, “research” means activities in which you adhere to the following:
- Notify NARA as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems; if you do, the activity will not qualify as research.
- Provide NARA with a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports to us.
b. Once you've established that a vulnerability exists or encounter any sensitive data (including controlled unclassified information (CUI) such as personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify NARA immediately, and not disclose this data to anyone else.
4. Test methods
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
5. Scope
a. This policy applies to the following systems and services:
- *.911COMMISSION.GOV
- *.9-11COMMISSION.GOV
- *.ARCHIVES.GOV
- *.BUSH41LIBRARY.GOV
- *.CLINTONLIBRARY.GOV
- *.DD214.GOV
- *.EISENHOWERLIBRARY.GOV
- *.FCIC.GOV
- *.FORDLIBRARYMUSEUM.GOV
- *.FRC.GOV
- *.GEORGEWBUSHLIBRARY.GOV
- *.HISTORY.GOV
- *.JFKLIBRARY.GOV
- *.JIMMYCARTERLIBRARY.GOV
- *.LBJLIBRARY.GOV
- *.NARA.GOV
- *.NIXONLIBRARY.GOV
- *.OBAMALIBRARY.GOV
- *.OBAMAWHITEHOUSE.GOV
- *.OURDOCUMENTS.GOV
- *.REAGANLIBRARY.GOV
- *.RECORDSMANAGEMENT.GOV
- *.TRUMANLIBRARY.GOV
- *.TRUMPLIBRARY.GOV
- *.TRUMPWHITEHOUSE.GOV
- *.WARTIMECONTRACTING.GOV
- *.WEBHARVEST.GOV
- GITHUB.COM/USNATIONALARCHIVES
b. Any service not expressly listed above, such as any connected services, are outside the scope of this policy and are not authorized for testing. Additionally, vulnerabilities found in systems from NARA’s vendors fall outside this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact NARA at security-vdp@nara.gov before starting your research (or at the security contact for the system’s domain name listed in the .gov WHOIS).
c. Though NARA develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted on only the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
6. Reporting a vulnerability
a. We will use information you submit under this policy for defensive purposes only – to mitigate or remediate vulnerabilities.
b. We accept vulnerability reports online or via security-vdp@nara.gov. You can submit reports anonymously online. If you share contact information, we will acknowledge receipt of your report within three business days.
c. When you submit a report, we encourage you to:
- Describe the website location, date, and time that the vulnerability was discovered and the potential impact of exploitation.
- Describe the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Use English, if possible.
- Attach any supporting documentation.
d. When we receive a report:
- We will acknowledge receipt of your report within three business days, if you provide contact information.
- If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely NARA, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process.
- We will not share your name or contact information without express permission.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
7. Authorities
Department of Homeland Security (DHS) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (September 2, 2020). BOD 20-01 requires each agency to develop and publish a vulnerability disclosure policy and maintain supporting handling procedures.
Document change history
Version | Date | Description |
---|---|---|
1.0 |
March, 2021 | Initial issuance |
1.1 | September, 2022 | Add new domains |