Vulnerability Disclosure Policy
The FRTIB (“Agency”) is committed to ensuring the security of FRTIB information and to preventing unauthorized access, modification, use, or disclosure of this information. FRTIB recognizes that a vulnerability disclosure policy is an important element of an effective vulnerability management program and is critical to the security of internet-accessible information systems. Accordingly, FRTIB is publishing a vulnerability disclosure policy to encourage meaningful collaboration between the FRTIB and the public, enabling FRTIB to remediate vulnerabilities before they can be exploited by an adversary.
The purpose of this document is to establish the FRTIB Vulnerability Disclosure Policy. The policy defines authorized and prohibited research activities, how vulnerabilities are reported and communicated, and the requirements for disclosing vulnerability information to the public. The policy defines how to conduct authorized vulnerability discovery activities, how a Reporter should submit discovered vulnerabilities to the Agency and provides necessary assurances to those who conduct research and report vulnerabilities in good faith.
This Vulnerability Disclosure Policy applies to the FRTIB systems that are publicly accessible through the Internet. The following domains and addresses are in scope:
FRTIB utilizes several third-party services to support its public facing activities. Non-public data published on these third-party systems is IN SCOPE. However, testing those services is NOT IN SCOPE. Only activities on the in-scope systems are authorized.
Any services not expressly listed as in-scope, such as connected services, are excluded from this policy and are not authorized for vulnerability testing. Furthermore, vulnerabilities that are discovered in non-Federal systems that belong to FRTIB vendors fall outside of this policy’s scope and should be reported directly to the vendor and/or a central vulnerability collection center, such as the United States Computer Emergency Readiness Team (U.S. CERT) or CERT Coordination Center for information technology for vulnerabilities. If a third-party is unsure about whether a system or endpoint is considered in scope, contact VulnerabilityDisclosure@FRTIB.gov PRIOR to beginning research, as outlined in the public-facing Vulnerability Disclosure Policy.
FRTIB will coordinate with and respond to vulnerability researchers who act “in good faith”.
This policy defines how researchers may discover, test, and submit vulnerabilities or indicators of vulnerabilities in good faith. To be considered acting in good faith, a researcher must act within the scope of this policy and fully comply with the following limitations and procedures. The Researcher must share the information with FRTIB first and comply with the requirements of handling the information related to the vulnerability in accordance with the instructions provided by the Vulnerability Disclosure Team via VulnerabilityDisclosure@FRTIB.gov. The Vulnerability Disclosure Team may ask the Reporter for additional time prior to disclosing the information to the public.
These activities are limited exclusively to:
- Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- Sharing or receiving information with FRTIB regarding a vulnerability or an indicator related to a vulnerability.
While conducting these activities, the following conditions must be met:
- There is no harm and/or no apparent attempt to exploit the discovered vulnerability, beyond what is necessary to prove that a vulnerability exists (this includes the information or data that may be discovered as part of the vulnerability research).
- There is no intentional access to the content of any communications, data, or information stored on FRTIB information system(s) – except to the extent that the information is directly related to the discovered vulnerability and the access is necessary to prove its existence. If, during research, data and information is accessed, the research must cease, and the researcher must report to FRTIB immediately at the point in time the discovery was made by the Researcher.
- No FRTIB information may be exfiltrated, under any conditions.
- Any testing activities conducted will not compromise the privacy and/or safety of FRTIB personnel (i.e., contractors and federal employees) as well as the Thrift Saving Plan’s participants and beneficiaries.
In addition to complying with this policy, security researchers must comply with all applicable Federal, State, and local laws in connection with any security research activities or other participation in this vulnerability disclosure program.
FRTIB does not authorize, permit, or otherwise allow (expressly or implicitly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity, to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or with any applicable Federal, State, and local laws. If a Reporter engages in any activities that are inconsistent with this policy or applicable laws, they may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-FRTIB entity (e.g., other federal divisions or Agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any entities; or any other third party), that non-FRTIB third party may independently determine whether to pursue legal action or remedies related to such activities.
If a bug, weakness, or vulnerability is discovered and reported to FRTIB by the Finder and/or Reporter, FRTIB will not compensate a Reporter and/or Finder for any issues found and analyzed to be actual weaknesses for the Agency.
The following types of tests are not authorized on FRTIB information systems and networks under this policy.
- Network denial of service (DoS) or distributed denial of service (DDoS)
- Penetration Testing of physical security controls
- Social engineering (e.g., phishing, vishing, etc.), or any other non-technical vulnerability testing
Discovery of Sensitive Information
If a security researcher, while testing within the scope of this policy, encounters any of the following, they must stop their testing and notify FRTIB security personnel immediately:
- Personally Identifiable Information (PII) (to include, but not limited to participant data and information, financial information, etc.)
- Proprietary information or trade secrets of companies of any party.
Reporting a Vulnerability
FRTIB accepts and investigates vulnerability reports submitted via the Bug Crowd Reporting Platform https://bugcrowd.com/frtib-vdp. Reports may be submitted anonymously, though that may limit FRTIB’s capability to communicate with and credit the Reporter.
Reports must include:
- A description of the vulnerability, its location, and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability (e.g., proof of concept, scripts, screenshots, and screen captures). Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials FRTIB would need to reproduce the issue; and
- Contact information for the Finder and/or Reporter if the individual wishes to communicate with the Agency.
When transmitting information or data to FRTIB, ensure proper security safeguards are applied to ensure unintentional data leakage does not occur. Reporters shall keep vulnerability reports current by reporting new information as it is identified.
FRTIB’s Duty to Respond to Vulnerability Reports
FRTIB takes every disclosure seriously and will ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities. FRTIB will be as transparent as possible with the Reporter about what steps the Agency is taking during the remediation process.
The Agency shall coordinate with the Finder and/or Reporter as quickly as possible. This includes:
- Notifying the System Owners (SO) of vulnerability disclosure notifications within two business days of the Reporter notifying FRTIB and allow an Agency designee to communicate with the Reporter.
- Within three business days, FRTIB will acknowledge receipt of the vulnerability report. FRTIB will investigate the report and may contact the Reporter for further information.
- To the best of its ability, FRTIB will confirm the existence of the vulnerability to the Reporter and keep the Reporter informed, as appropriate, as remediation of the vulnerability is underway.
Information submitted to FRTIB under the guidance of this policy will be used for defensive purposes – the mitigation or remediation of vulnerabilities in FRTIB networks, applications, or the applications of our vendors.
Assurances to Good Faith Researchers
If security research and vulnerability disclosure activities are conducted in accordance with the restrictions and guidelines set forth in this policy, FRTIB will not initiate or recommend legal action related to such activities.
If good faith security research conducted in accordance with this policy results in legal action pursued by a third-party such as the Department of Justice, the Agency will take necessary steps to clarify that the activities were conducted pursuant to and in compliance with this policy.
Questions regarding this policy, its scope, authorized activities, or other related matters should be directed to email@example.com PRIOR to beginning research.