Version 2.0

Purpose

The United States (U.S.) Department of Commerce (DOC) manages data critical to creating conditions for U.S. economic growth and opportunity. 

The DOC is committed to ensuring the security of the U.S. public by protecting the public’s information from unwarranted disclosure. As such, the DOC has created a Vulnerability Disclosure Policy (VDP) and Vulnerability Disclosure Program, to give security researchers clear guidelines for conducting vulnerability discovery activities on DOC websites, information systems, and digital services, as well to convey the DOC’s preferences in how to submit discovered vulnerabilities to the DOC. 

The DOC’s Vulnerability Disclosure Policy describes what systems and types of research are covered under this program, how to submit vulnerability reports, and requirements for public disclosure of submitted vulnerabilities.

Authorization

Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program. 

Efforts made in good faith to comply with this policy during all security research will be considered authorized. The DOC will work with the researcher to understand and quickly resolve issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, the DOC will reaffirm this authorization. 

Scope and Applicability

This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized DOC publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on the DOC’s publicly available systems and services. Specifically, this policy applies to all DOC websites, information systems, and digital services intended for public use or made internet accessible. 

Out of Scope Systems and Services

The following websites, information systems, and services are excluded from the testing provisions and legal protections afforded to security researchers within this policy. If security researchers are uncertain of whether a website, information system, or digital service is in-scope of this policy, it is recommended that they reach out to [email protected] or to the security contact for the information system’s domain name listed in the .gov WHOIS before beginning testing: 

• National Security Systems (NSS). The definition of a National Security System, along with other applicable terms used in the National Security Community, are found in CNSSI 4009, Information Assurance Glossary
• Information systems, websites, or services owned and operated by vendors or other entities; vulnerabilities found in information systems from our vendors and other entities fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any)
• Non-public facing or non-internet-accessible websites, information systems, and digital services

Additionally, vulnerabilities found in systems from non-DOC entities are outside of this policy’s scope and should be reported directly to the non-DOC entity according to their disclosure policy. If there is uncertainty regarding the scope, please contact: https://bugcrowd.com/engagements/usdoc-vdp. 

Guidelines

Under this policy, “research” means activities in which you: 

• Notify the DOC as soon as possible after the discovery of any real or potential security issue(s)
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems
• Do not submit a high volume of low-quality reports

Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information or proprietary information or trade secrets of any party): 

• ALL tests must be stopped
• Notify DOC immediately
• Do Not disclose this data to anyone

Reporting a Vulnerability

Information submitted under this policy will be used for defensive purposes only. If discovered findings include new vulnerabilities that affect all users of a product or service and not solely the DOC, the DOC may share your report with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled according to their coordinated vulnerability disclosure process. The DOC will not share your name or contact information without express permission. 

The DOC only accepts vulnerability reports through https://bugcrowd.com/engagements/usdoc-vdp. Reports may be submitted anonymously. If contact information is shared, the DOC will acknowledge receipt of the information within three (3) business days.

When submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and that any future pay claims against the U.S. Government related to the submission have been waived. 

When contact information is shared, the DOC commits to coordinating with the security researcher in a transparent and timely manner: 

1. Within three (3) business days, the DOC will acknowledge that the report has been received.
2. Within (15) business days, if appropriate, the DOC will confirm the existence of the vulnerability and provide further discussion on findings, resolutions and/or issues or challenges that may delay resolution.

Policy

Vulnerability Reports 

To report identified vulnerabilities, security researchers must:  

1. Submit vulnerability reports to https://bugcrowd.com/engagements/usdoc-vdp.
2. Describe the location the vulnerability was discovered and the potential impact of exploitation.
3. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots).
4. Submit vulnerability reports, anonymously, if desired. If a security researcher provides DOC with an email address, DOC will acknowledge, via email receipt of submitted reports within three (3) business days.
5. Keep confidential any information about discovered vulnerabilities for up to (90) calendar days after being notified by the DOC.

Coordinated Disclosure

DOC is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities improves an organization’s security posture by providing an additional method for identifying vulnerabilities and remediating them before they are exploited by cybercriminals. 

At the same time, we believe that disclosure in absence of a readily available patch can increase risk rather than reduce it, and so we ask that security researchers refrain from sharing reports with others, or releasing reports to the public, while remediation is occurring. If there is a need to inform others of the submitted report before remediation is complete, please coordinate with DOC at https://bugcrowd.com/engagements/usdoc-vdp prior to release for assessment.

Use of Vulnerability Reports

Information submitted under this policy shall be used by the DOC for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and determined to be a valid security issue, the DOC will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued.  

Information Sharing

Information submitted under this policy may be shared for defensive cybersecurity means: 

1. If findings submitted include newly discovered vulnerabilities that affect users of a product or service outside of the DOC, the DOC may share vulnerability reports with DHS CISA, where it will be handled under DHS CISA’s coordinated vulnerability disclosure process. The DOC retains the right to share this information with DHS CISA and other applicable organizations, as needed.
2. Personal information pertinent to the security researcher will not be disclosed or shared without the researcher’s express permission.

Unauthorized Testing Methods

The following test methods are not authorized by the DOC: 

1. Tests of any systems other than the systems set forth in the ‘Scope’ of this policy.
2. Physical testing of facilities or resources (e.g., office access, open doors, tailgating).
3. Social engineering (e.g., phishing, vishing, spam, and other suspicious email), and any other non-technical vulnerability testing.
4. Network denial of service (DoS or Distributed DoS) or tests that impair access to or damage availability to a system or data.
5. Tests that exhausts bandwidth or are resource intensive.
6. Unidentified malware, viruses, Trojan horses, or worms.
7. Rainbow tables, password cracking, or brute force testing.  
8. Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on DOC systems, or “pivot” to other DOC systems.
9. Test third-party applications, websites, or services that integrate with or link to or from DOC systems.
10. Deleting, altering, sharing, retaining, or destroying DOC data, or rendering DOC data inaccessible.

Questions

Questions or suggestions regarding this policy may be sent to: https://bugcrowd.com/engagements/usdoc-vdp. 

Last updated 2/25/2026