The Department of Justice (DOJ) is committed to ensuring the security of the American public by safeguarding their digital information. This Vulnerability Disclosure Policy (VDP) provides guidelines for the cybersecurity research community and members of the general public (hereafter referred to as researchers) on conducting good faith vulnerability discovery activities directed at public facing Department of Justice websites and services. This Vulnerability Disclosure Policy also instructs researchers on how to submit discovered vulnerabilities* to the Department of Justice's Office of the Chief Information Officer (OCIO), within the Justice Management Division.
Authorized Activities
If a researcher complies with this policy in conducting vulnerability discovery activities, Department of Justice's Office of the Chief Information Officer (OCIO) will consider those activities to be authorized.
Reporting a Vulnerability
If a vulnerability is discovered, researchers must provide a detailed summary of the vulnerability, including the following:
- description of the vulnerability and its potential impact;
- product, version, and configuration of any software or hardware potentially impacted;
- step-by-step instructions to reproduce the issue;
- proof-of-concept; and
- suggested mitigation or remediation actions, as appropriate.
Department of Justice Office of the Chief Information Officer will accept vulnerability disclosure reports through the Department of Justice Vulnerability Disclosure Policy Reporting Portal or by email. When submitting sensitive material, Department of Justice Office of the Chief Information Officer recommends encrypting the data.
By submitting a report through the Department of Justice Vulnerability Disclosure Policy Portal or communicating with Department of Justice Office of the Chief Information Officer at Responsible_Disclosure@usdoj.gov, Department of Justice OCIO will presume that the submitter read, understands, and agrees to the guidelines described in this policy, and consents to having any subsequent communications with Department of Justice stored on a U.S. Government information system. Personal data submitted in a vulnerability disclosure report will not be retained by Department of Justice Office of the Chief Information Officer, other than contact information that will only be retained in order to coordinate with the researcher.
By submitting a report or communicating with Department of Justice Office of the Chief Information Officer at Responsible_Disclosure@usdoj.gov, Department of Justice OCIO will presume that the submitter read, understands, and agrees to the guidelines described in this policy, and consents to having any subsequent communications with Department of Justice stored on a U.S. Government information system. Personal data submitted in a vulnerability disclosure report will not be retained by Department of Justice Office of the Chief Information Officer, other than contact information that will only be retained in order to coordinate with the researcher.
If a researcher discovers a zero-day or any new vulnerability that may affect all users of a product or service and not solely the Department of Justice , Department of Justice Office of the Chief Information Officer may share a vulnerability disclosure report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without your express permission.
Activities Outside the Scope of This Policy
Department of Justice does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity, to engage in any security research or vulnerability or threat disclosure activity on or affecting Department of Justice systems that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-DOJ entity (e.g., other Federal departments or agencies; State, local, or Tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), those third parties may independently determine whether to pursue legal action or remedies related to such activities.
This policy does not in any way limit the authority of the United States Attorneys or other components of the Department of Justice to pursue legal action. Nor will actions taken in accordance with this policy shield an individual from prosecution for any previous or future violations of the law.
Questions
Questions regarding this policy may be sent to Responsible_Disclosure@usdoj.gov. We also invite you to contact us with suggestions for improving this policy.
Department of Justice may modify the terms of this policy or terminate the policy at any time.
* Per M-20-32, and consistent with 6 U.S.C. 1501(17), vulnerabilities described by this policy may be considered "security vulnerabilities" and are defined as a "Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source."