Vulnerability Disclosure Policy (VDP)

Purpose
Authorized Activities
Overview
Scope of Policy
Reporting a Vulnerability
What You Can Expect from Us
Activities Outside the Scope of this Policy

Purpose

The Department of Justice (DOJ) is committed to ensuring the security of the American public by safeguarding their digital information. This Vulnerability Disclosure Policy (VDP) provides guidelines for the cybersecurity research community and members of the general public (hereafter referred to as researchers) on conducting good faith vulnerability discovery activities directed at public facing DOJ websites and services. This VDP also instructs researchers on how to submit discovered vulnerabilities [1] to the DOJ’s Office of the Chief Information Officer (OCIO), within the Justice Management Division.

Authorized Activities

If a researcher complies with this policy in conducting vulnerability discovery activities, DOJ OCIO will consider those activities to be authorized.

Overview

Providing information and resources to the public and the law enforcement community constitutes a significant part of DOJ’s mission. Many of those interactions with the public are now conducted online. As such, DOJ’s information systems [2] play a critical role in supporting the Department and its component staffs as they execute their missions and safeguard American citizens. Maintaining the security of DOJ’s systems and networks is the mission of the DOJ OCIO.

DOJ OCIO recognizes that the cybersecurity research community regularly makes valuable contributions to the cybersecurity of individual organizations and the broader Internet. DOJ OCIO recognizes that fostering a positive relationship with this community can help improve the Department’s own security.

Vulnerabilities submitted to DOJ OCIO under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks and services, or those of our vendors.

Researchers must review, understand, and abide by the following terms and conditions before conducting any research or testing on DOJ networks and before submitting a report.

General Guidelines

As described in more detail below, to be considered authorized activities under this policy, researchers must:

Notify DOJ OCIO within 72 hours of discovering any real or potential security vulnerabilities.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence.
- Do not use any exploit to compromise or exfiltrate data; open, take, or delete files; establish command line access and/or persistence; or pivot to other systems.
- Do not escalate privileges or attempt to move laterally within the network.
- Do not disrupt access to DOJ services or introduce any malware in the course of testing.
Do not publicly disclose reported vulnerabilities without prior coordination with DOJ OCIO.
Do not submit a high volume of low-quality reports.

Once a researcher establishes that a vulnerability exists, or encounters any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify DOJ OCIO immediately through our vulnerability submission process, and not disclose this data to anyone else.

Test Methods

DOJ OCIO will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with the following guidelines:

Testing activities are limited exclusively to
- (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability;[3] or
- (2) Sharing information with, or receiving information from, DOJ OCIO about a vulnerability or an indicator related to a vulnerability.
Researchers may not harm any DOJ system or data on a DOJ system or exploit any potential vulnerabilities beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
Researchers must not establish command line access and/or persistence; pivot to other systems; escalate privileges; attempt to move laterally within the network; disrupt access to DOJ services; or introduce any malware in the course of testing.
Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any DOJ information system – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
Researchers must not intentionally exfiltrate or copy DOJ data, or open, take, or delete files. Should researchers obtain DOJ data during their research, they must coordinate with DOJ OCIO to ensure that data is appropriately destroyed upon confirmation that the vulnerability is remediated.
Researchers may not intentionally compromise the privacy or safety of DOJ personnel (e.g. employees, contractors, or parties to ongoing investigations) or any third parties.
Researchers may not intentionally compromise the intellectual property or other commercial or financial interests of any DOJ personnel or entities or any third parties through their research.
Researchers may not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, until that vulnerability is remediated and they receive explicit written authorization from DOJ OCIO.
Researchers may not conduct denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
Researchers may not conduct physical testing or social engineering, including spear phishing, of DOJ personnel or contractors.
Researchers may not intentionally submit a high-volume of low-quality, unsubstantiated, or false-positive reports.
If at any point researchers are uncertain whether to continue testing, researchers must engage with DOJ OCIO at the email address provided below before conducting any further testing.

Scope of Policy

This policy applies to all DOJ-managed systems and services that are accessible from the Internet. This includes the registered domain name - DOJ.gov. If a researcher is unsure whether a system is in scope or not, contact DOJ at Responsible_Disclosure@usdoj.gov before starting any testing (or at the security contact for the system’s domain name listed in the .gov WHOIS).

Reporting a Vulnerability

If a vulnerability is discovered, researchers must provide a detailed summary of the vulnerability, including the following:

description of the vulnerability and its potential impact;
product, version, and configuration of any software or hardware potentially impacted;
step-by-step instructions to reproduce the issue;
proof-of-concept; and
suggested mitigation or remediation actions, as appropriate.

DOJ OCIO will accept vulnerability disclosure reports through the DOJ VDP Reporting Portal or by email. When submitting sensitive material, DOJ OCIO recommends encrypting the data.

By submitting a report through the DOJ VDP Portal or communicating with DOJ OCIO at Responsible_Disclosure@usdoj.gov, DOJ OCIO will presume that the submitter read, understands, and agrees to the guidelines described in this policy, and consents to having any subsequent communications with DOJ stored on a U.S. Government information system. Personal data submitted in a vulnerability disclosure report will not be retained by DOJ OCIO, other than contact information that will only be retained in order to coordinate with the researcher.

By submitting a report or communicating with DOJ OCIO at Responsible_Disclosure@usdoj.gov, DOJ OCIO will presume that the submitter read, understands, and agrees to the guidelines described in this policy, and consents to having any subsequent communications with DOJ stored on a U.S. Government information system. Personal data submitted in a vulnerability disclosure report will not be retained by DOJ OCIO, other than contact information that will only be retained in order to coordinate with the researcher.

If a researcher discovers a zero-day or any new vulnerability that may affect all users of a product or service and not solely the DOJ, DOJ OCIO may share a vulnerability disclosure report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without your express permission.

What You Can Expect From Us

DOJ OCIO will take every disclosure report seriously and, to the extent it deems appropriate, investigate every report to validate the vulnerability, prioritize the risk, and ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

DOJ OCIO remains committed to coordinating with the security research community as openly and quickly as possible. This includes:

Acknowledging receipt of each vulnerability report within three (3) business days. DOJ OCIO’s security team or its partners will investigate each report, and may contact the researcher for further information.
Confirming the existence of the vulnerability to the researcher to the best of our ability and informing the researcher of any issues or challenges that may delay resolution. If necessary, DOJ OCIO or its partners may coordinate with the researcher for additional information as we work to remediate a vulnerability.
Maintaining an open dialogue with individual researchers to discuss issues.
If researchers conduct vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) DOJ OCIO will not initiate or recommend any law enforcement or civil actions related to such activities, and (2) in the event of any law enforcement or civil action brought in connection with research activities, DOJ OCIO will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Activities Outside the Scope of this Policy

DOJ does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity, to engage in any security research or vulnerability or threat disclosure activity on or affecting DOJ systems that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-DOJ entity (e.g., other Federal departments or agencies; State, local, or Tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), those third parties may independently determine whether to pursue legal action or remedies related to such activities.

This policy does not in any way limit the authority of the United States Attorneys or other components of the DOJ to pursue legal action. Nor will actions taken in accordance with this policy shield an individual from prosecution for any previous or future violations of the law.

Modification or Termination of this Policy
DOJ may modify the terms of this policy or terminate the policy at any time.

Questions

Questions regarding this policy may be sent to Responsible_Disclosure@usdoj.gov. We also invite you to contact us with suggestions for improving this policy.

[1] Per M-20-32, and consistent with 6 U.S.C. 1501(17), vulnerabilities described by this policy may be considered “security vulnerabilities” and are defined as a “[w]eakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”

[2] See definition in 6 U.S.C. 1501(9).

[3] These activities, when undertaken consistent with the terms of this policy, constitute “defensive measures” as defined by 6 U.S.C. 1501(7))

Updated April 3, 2024