DoD Vulnerability Disclosure Policy

Purpose

This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Department of Defense (DoD) information systems¹, including web properties, and submitting discovered vulnerabilities to DoD. If questions arise, please take no action until that action is discussed with the VDP lead at the Department of Defense Cyber Crime Center (DC3).

##Overview Maintaining the security of our networks is a high priority at DoD. Our information technologies provide critical services to Service Members, their families, and DoD employees and contractors. Ultimately, our network security ensures that DoD can defend the United States of America. Recognizing that the broader security research community regularly makes valuable contributions to the security of the Internet, DoD believes that a close relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you!

First, any information submitted to the DoD under this program will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or in the applications of our vendors. This research is not contributing to offensive tools or capabilities.

Second, the VDP program is part of DoD’s efforts to host a conversation between outside security researchers and the Department. This discussion is already underway and as of September 2020, security researchers have identified more than 24,000 potential exploits for our public facing systems. This new program broadens this exchange by offering additional terms and conditions on publicly accessible information system and reporting vulnerabilities – all as part of the effort to improve security over time.

Please review program terms and conditions carefully. Before participating in the VDP, conducting any testing of DoD networks Band prior to submitting a report, you must agree to abide by these new terms and conditions. Failure to abide by the terms and conditions will result in the loss of being considered a security researcher under the program.

Scope

Publicly accessible information systems, web property, or data owned, operated, or controlled by DoD.

How to Submit a Report

Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the terms and conditions of the program for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to publicly accessible DoD information systems, and that you consent to having the contents of the communication and follow-up communications stored on a U.S. Government information system.

Guidelines

DoD will deal in good faith with security researchers who discover, test, and submit vulnerabilities² or indicators of vulnerabilities in accordance with these terms and conditions:

• Your activities are limited exclusively to –
• (1) Testing, through remote means, to detect a vulnerability or identify an indicator related to a vulnerability³; and
• (2) Sharing information solely with DoD or receiving information from DoD about a vulnerability or an indicator related to a vulnerability.
• You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on a DoD information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is set of information resources for collecting, processing, maintaining, using, sharing, disseminating of information.
• You will not exfiltrate any data under any circumstances.
• You will not intentionally compromise the privacy or safety of DoD personnel (e.g., civilian employees or military members), or any third parties.
• You will not intentionally compromise the intellectual property or other commercial or financial interests of any DoD personnel or entities, or any third parties.
• You will not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from DoD.
• If during your research you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by DoD and report to DoD that you have done so.
• You will not conduct denial of service testing.
• You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerning DoD personnel or contractors.
• You will not submit a high-volume of low-quality reports.
• If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities.

DoD has a unique information and communications technology footprint. Many DoD technologies are deployed in combat zones and support ongoing military operations. This means that DoD systems can have a life-or-death impact on Service Members and partners of the United States. This also means that it may take longer than you expect to remediate some vulnerabilities as the DoD must take extra care while working with these systems.

DoD remains committed to coordinating with the security researcher transparently and promptly. This includes taking the following actions:

• Within one business day, DoD will acknowledge receipt of your report. DoD’s security team will investigate the report and may contact you for further information.
• When practicable and authorized, DoD will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.
• DoD wants researchers to be recognized publicly for their contributions, if that is the researcher’s desire. The Department will seek to allow researchers desiring to be publicly recognized, when practicable and authorized. However, public disclosure of vulnerabilities will only be authorized by the express written consent of DoD.

Legal

This policy does not grant authorization, permission, or otherwise allow express or implied access to DoD information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a security researcher working in accordance with the terms and conditions of this VDP program discloses a vulnerability, then: (1) DoD will, in the exercise of its authorities, take the following steps to: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that researcher, and (2) Inform the pertinent law enforcement agencies or civil plaintiffs that the researchers activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of the program.

You must otherwise comply with all applicable Federal, State, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-DoD entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-DoD entity may independently determine whether to pursue legal action or remedies related to such activities.

DoD may modify the terms and conditions or terminate the program at any time.

---

¹ DoD interprets the term “publicly accessible” as the means of accessing “Information systems,” as defined by 6 U.S.C. 1501(9) and 44 U.S.C. 3502, whereby a researcher has complied with all stated limitations of activity under the guidelines of the VDP policy. ² “Vulnerabilities” throughout this policy may be considered “security vulnerabilities” as defined by 6 U.S.C. 1501(17). ³ These activities, if applied consistent with the terms of this policy, constitute “defensive measures” as defined by 6 U.S.C. 1501(7).