BETA SITE: We’re building a new way to get a .gov. Take a look around, but don’t rely on this site yet. This site is for testing purposes only. Don’t enter real data into any form on this site. To learn about requesting a .gov domain, visit get.gov

Skip to main content
U.S. flag

An official website of the United States government

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Vulnerability disclosure policy

We’re committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey how we’d like you to report vulnerabilities to us.

This policy describes:

  • Good faith efforts
  • Guidelines for applying this policy
  • Test methods that aren’t authorized
  • Systems and services covered by this policy
  • How to send us vulnerability reports
  • How long we ask security researchers to wait before publicly disclosing vulnerabilities

We encourage you to report potential vulnerabilities in our systems.

Demonstrate a good faith effort to follow this policy

If you make a good faith effort to comply with this policy during your security research:

  • We’ll consider your research to be authorized.
  • We’ll work with you to understand and resolve the issue quickly.
  • We won’t recommend or pursue legal action related to your research.
  • We’ll make this authorization known if legal action is initiated by a third party against you for activities that were conducted in accordance with this policy.

Guidelines for applying this policy

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods that aren’t authorized

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Systems and services covered by this policy

This policy applies to the following systems and services:

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. And, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, email us at dotgov@cisa.dhs.gov before starting your research. Or, ask the security contact for the system’s domain name listed in the .gov WHOIS.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

How to report a vulnerability

Submit a vulnerability report using this form or via dotgov@cisa.dhs.gov. You can submit a report anonymously. If you share contact information, we will acknowledge receipt of your report within three business days.

What to include in your vulnerability report

In order to help us triage and prioritize submissions, we recommend that your reports:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  • Be in English, if possible

What you can expect from us

If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • We’ll acknowledge that your report has been received within three business days.
  • To the best of our ability, we’ll confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We’ll maintain an open dialogue to discuss issues.

Other .gov systems and services

If you find a security or privacy issue on another .gov service, check the data for all .gov domains to see if the domain has a security contact. Most federal (executive branch) agencies also have a vulnerability disclosure policy. If you are unable to find a contact or receive no response from the security contact, email dotgov@cisa.dhs.gov.

Questions

Questions regarding this policy may be sent to dotgov@cisa.dhs.gov.

cisa logo

get.gov

An official website of the Cybersecurity and Infrastructure Security Agency

Looking for U.S. government information and services?
Visit USA.gov