Vulnerability Disclosure Policy
The Federal Retirement Thrift Investment Board (FRTIB) is committed to ensuring the security of FRTIB information and to preventing unauthorized access, modification, use, or disclosure. FRTIB recognizes that a vulnerability disclosure policy is an important element of an effective vulnerability management program and critical to the security of internet-accessible information systems. FRTIB is publishing a vulnerability disclosure policy in order to encourage meaningful collaboration between the FRTIB and the public and to enable the FRTIB to remediate vulnerabilities before they can be exploited by an adversary.
This purpose of this policy is to establish the FRTIB Vulnerability Disclosure Policy, to define authorized and prohibited research and activities, to define how vulnerabilities are reported and communicated to the Agency, and the requirements for disclosing vulnerability information to public on behalf of the Agency as a ‘Reporter’.
This Vulnerability Disclosure Policy applies to the FRTIB systems that are publicly accessible, meaning that an individual may access these systems from outside of the trusted FRTIB network. The following domains are in scope:
FRTIB utilizes several third-party services to support its in-public work model. Non-public data published on these third-party systems is considered to be IN SCOPE. However, testing those services is NOT IN SCOPE. Only activities on the in-scope systems are authorized.
Additionally, any services not expressly listed as in-scope, such as connected services, are excluded from this policy and are not authorized for vulnerability testing. Furthermore, vulnerabilities that are discovered in non-federal systems that belong to FRTIB vendors fall outside of this policy’s scope, and should be reported directly to the vendor and/or a central vulnerability collection center, such as the United States Computer Emergency Readiness Team (U.S. CERT) or CERT Coordination Center for information technology for vulnerabilities.
FRTIB will coordinate with and respond to vulnerability researchers who act in “good faith”.
This policy defines how researchers may discover, test, and submit vulnerabilities or indicators of vulnerabilities in good faith. To be considered acting in good faith, a researcher must act within the scope of this policy and fully comply with the following limitations and procedures.
These activities are limited exclusively to:
- Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- Sharing or receiving information with FRTIB regarding a vulnerability or an indicator related to a vulnerability.
- The Researcher must share the information with FRTIB first and comply with the requirements of handling the information related to the vulnerability in accordance with the instructions provided by the Vulnerability Disclosure Team (VulnerabilityDisclosure@FRTIB.gov). The Vulnerability Disclosure Team may ask the reporter for additional time prior to disclosing the information to the public.
While conducting these activities, the following conditions must be met:
- There is no harm and/or no apparent attempt made by the researcher to exploit the discovered vulnerability, beyond that necessary to prove that a vulnerability exists (this includes the information or data that may be discovered as part of the vulnerability research).
- There is no intentional access to the content of any communications, data, or information stored on FRTIB information system(s) – except to the extent that the information is directly related to the discovered vulnerability and the access is necessary to prove its existence. If, during research, data and information is accessed, the research must cease, and the researcher must report to FRTIB immediately at the point and time the discovery was made by the researcher.
- No FRTIB information may be exfiltrated, under any conditions.
- Any testing activities conducted will not compromise the privacy and/or safety of FRTIB personnel (e.g. contractors, and federal employees) and its customers.
In addition to complying with this policy, security researchers must comply with all applicable Federal, State, and local laws in connection with any security research activities or other participation in this vulnerability disclosure program.
FRTIB does not authorize, permit, or otherwise allow (expressly or implicitly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or with any applicable Federal, State, and local laws. If a responder engages in any activities that are inconsistent with this policy or applicable laws, they may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-FRTIB entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-FRTIB third party may independently determine whether to pursue legal action or remedies related to such activities.
If a bug, weakness or vulnerability is discovered and reported to FRTIB by the finder or reporter, FRTIB will not compensate a reporter or finder for any issues found and analyzed to be actual weaknesses for the Agency.
The following types of test are not authorized on FRTIB information systems and networks under this policy:
- Network denial of service (DoS, or DDoS);
- Penetration Testing of Physical security controls (e.g. office access, open doors, tailgating); and
- Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
Discovery of Sensitive Information
If a security researcher, while testing within the scope of this policy, encounters any of the following, they must stop their testing and notify FRTIB security personnel immediately:
- Personal Identifiable Information (PII) (to include, but not limited to participant data and information, financial information, etc.); and
- Proprietary information or trade secrets of companies of any party.
Reporting a Vulnerability
FRTIB accepts and investigates vulnerability reports submitted via email to the Vulnerability Disclosure Mailbox (VulnerabilityDisclosure@FRTIB.gov). Reports may be submitted anonymously, though that may limit FRTIB’s capability to communicate with and credit the reporter.
Reports must include:
- A description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (e.g., proof of concept (POC), scripts, screenshots, and screen captures). Please use extreme care to properly label and protect any exploit code);
- Any technical information and related materials FRTIB would need to reproduce the issue; and
- Contact information for the finder and/or reporter.
When transmitting information or data to FRTIB, ensure proper security safeguards are applied to ensure unintentional data leakage does not occur. Reporters shall keep vulnerability reports current by sending new information as it becomes available.
FRTIB’S Duty to Respond to Vulnerability Reports
FRTIB takes every disclosure seriously and will ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities. FRTIB will be as transparent as possible with the reporter about what steps the Agency is taking during the remediation process.
The Agency shall coordinate with the Finder/Reporter as quickly as possible. This includes:
- Notifying the System Owners (SO) of vulnerability disclosure notifications within two business days of the reporter notifying FRTIB and allow the SO to communicate with the reporter, as required
- Within three business days, FRTIB will acknowledge receipt of the vulnerability report. FRTIB’s security team will investigate the report and may contact the reporter for further information.
- To the best of its ability, FRTIB will confirm the existence of the vulnerability to the Reporter and keep the Reporter informed, as appropriate, as remediation of the vulnerability is underway.
Information submitted to FRTIB under the guidance of this policy will be used for defensive purposes – the mitigation or remediation of vulnerabilities in FRTIB networks, applications, or the applications of our vendors.
Assurances to Good Faith Researchers
If security research and vulnerability disclosure activities are conducted in accordance with the restrictions and guidelines set forth in this policy, FRTIB will not initiate or recommend legal action related to such activities.
If good faith security research conducted in accordance with this policy results in legal action pursued by a third-party such as the Department of Justice, the Agency will take necessary steps to clarify that the activities were conducted pursuant to and in compliance with this policy.
Questions regarding this policy, authorized activities, or whether a system or endpoint is considered in scope, it should contact the Vulnerability Disclosure Mailbox (VulnerabilityDisclosure@FRTIB.gov) PRIOR to beginning its research.