Recreation.gov Vulnerability Disclosure Program

Introduction

Welcome to recreation.gov!

Program highlights

Gold Standard Safe Harbor Adheres to Gold Standard Safe Harbor.

Top Response Efficiency This program's response efficiency is above 90%.

Managed by HackerOne

• Average time to first response: 5 hours
• Average time to triage: 4 days, 22 hours

Overview

Recreation.gov looks forward to working with the security community to find vulnerabilities in order to keep our visitors safe.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g., phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or with explicit permission of the account holder.

Core Ineligible Findings

When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact:

Refer to HackerOne's Core Ineligible Findings for the most common false positives.

Thank you for helping keep Recreation.gov, our visitors, and the web safe!