Introduction
The U.S. Office of Special Counsel (OSC) is committed to ensuring the security of the American public by safeguarding their digital information. This policy is intended to give cybersecurity research community and members of the general public (hereafter referred to as researchers) clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to OSC.
This policy describes what information systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage security researchers to contact us to report potential vulnerabilities in our systems.
Authorization
If researchers make a good faith effort to comply with this policy during their security research, OSC will consider the research to be authorized; work with you to understand and resolve the issue quickly; and OSC will not recommend or pursue legal action related to the research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Guidelines
To be considered as authorized activities under this policy, researchers must:
- Notify OSC as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Do not publicly disclose reported vulnerabilities without prior coordination with OSC Information Technology Office.
- Do not submit a high volume of low-quality reports.
Once a researcher establishes that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information, or trade secrets of any party), they must stop testing, notify OSC immediately, and not disclose this data to anyone else.
Test methods
Researchers must not:
Test any system other than the systems set forth in the ‘Scope’ section below;
Engage in physical testing of facilities or resources;
Send unsolicited electronic mail to OSC users, including “phishing” messages;
Execute or attempt to execute denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data;
Introduce malicious software;
Test in a manner which could degrade the operation of OSC systems; or intentionally impair, disrupt, or disable OSC systems;
Delete, alter, share, retain, or destroy OSC data, or render OSC data inaccessible, or,
Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on OSC systems, or “pivot” to other OSC systems.
Researchers must:
Cease testing and notify OSC immediately upon discovery of a vulnerability
Cease testing and notify OSC immediately upon discovery of an exposure of nonpublic data
Purge any stored OSC nonpublic data upon reporting a vulnerability
Scope
This policy applies to all OSC-managed systems and services that are accessible from the Internet. This includes the registered domain name osc.gov.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If a researcher is unsure whether a system is in scope or not, contact OSC through our vulnerability disclosure questions form.
Reporting a vulnerability
OSC will use information submitted under this policy for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely OSC, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
OSC accepts vulnerability reports using this hyperlinked form. Reports may be submitted anonymously. If you share contact information, OSC will acknowledge receipt of your report within 3 business days.
OSC does not support PGP-encrypted emails.
By submitting a vulnerability, the researcher acknowledges that there is no expectation of payment and that they expressly waive any future payment claims against OSC or the U.S. Government related to the submission.
What we would like to see from you
In order to help OSC prioritize submissions, we recommend that the researcher:
- Describe the location where the vulnerability was discovered and the potential impact of exploitation;
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful); and
- Responds in English, if possible.
What you can expect from us
When a researcher chooses to share their contact information with us, OSC commits to coordinating with them as openly and quickly as possible.
- Within 3 business days, OSC will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to the researcher and inform them about what steps OSC is taking during the remediation process, including on issues or challenges that may delay resolution.
- OSC will maintain an open dialogue to discuss issues
Questions
Questions regarding this policy may be sent through OSC’s vulnerability disclosure questions form. We also invite you to contact us with suggestions for improving this policy.
Last Updated: March 1, 2021