In accordance with Section 101 and Title I of the SECURE Technology Act (P.L. 115- 390), this policy provides security researchers with clear guidelines for (1) conducting good faith vulnerability and attack vector discovery activities directed at Department of Homeland Security (DHS) systems and (2) submitting those discovered vulnerabilities. This policy has been developed in consultation with the Attorney General, the Secretary of Defense, the Administrator of GSA, and non-governmental security researchers.
The Secret Service has a unique information and communications technology footprint that is tightly interwoven and globally deployed. Our information systems provide critical services in support of the Secret Service. Maintaining the security of our networks is a high priority at the Secret Service.
Ultimately, our network security ensures that we can accomplish our missions and contribute to the success of the individuals who contribute to the mission success. The Secret Service recognizes that security researchers regularly contribute to the work of securing organizations and the Internet as a whole. Therefore, the Secret Service invites reports of any vulnerabilities discovered on internet-accessible Secret Service information systems, applications, and websites. Information submitted to Secret Service under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks.
This program upholds the DHS motto “See Something – Say Something” in the virtual environment by positively engaging with and establishing a communication loop between researchers and DHS. Hereinafter, researcher may be referred to as “you” or “your” and the Secret Service may be interchangeably used in conjunction with or alternatively referenced as “we”, “our”, or “us.”
This policy applies to any internet-accessible information system, application, or website owned, operated, or controlled by the Secret Service, including any web or mobile applications hosted on those sites. Contractor information systems operated on behalf of DHS are not included within the scope of this policy.
This policy applies to the following systems and services:
Any services not explicitly identified here are considered out-of-scope and are not authorized for testing. The scope of Secret Service assets subject to this policy will be updated regularly. If a researcher is unsure whether a system is in scope or not, contact the Secret Service at firstname.lastname@example.org before starting any testing (or at the security contact for the system’s domain name listed in the .gov WHOIS).
Security Research Guidelines
You MUST read and agree to abide by the guidelines in this policy for conducting security research and disclosure of vulnerabilities or indicators of vulnerabilities related Secret Service information systems. We will presume you are acting in good faith when you discover, test, and submit reports of vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
- You MUST comply with all applicable Federal, State, and local laws in connection with security research activities or other participation in this vulnerability disclosure program.
- You MUST stop testing and notify the Secret Service immediately through our vulnerability submission process once you establish that a vulnerability exists, or encounter any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party)
- You MUST NOT use the vulnerability to pivot into other systems.
- You MUST NOT exfiltrate any data under any circumstances.
- You MUST NOT test the physical security of our government facilities, equipment, or personnel.
- You MUST NOT intentionally compromise the privacy or safety of Secret Service personnel (e.g., civilian employees) or any legitimate third parties.
- You MUST NOT intentionally compromise the intellectual property or other commercial or financial interests of any DHS personnel or entities or any legitimate third parties.
- You MUST NOT disclose any details of any extant Secret Service information system vulnerability or indicator of vulnerability to any party not already aware at the time the report is submitted to the Secret Service.
- You MUST NOT deface any Secret Service digital assets.
- You MUST NOT access, or modify any account that does not belong to the researcher
- You MUST NOT disclose any incidental proprietary data revealed during testing or the content of information rendered available by the vulnerability to any party not already aware at the time the report is submitted to the Secret Service.
- You MUST NOT cause a denial of any legitimate services or delete any data.
- You MUST NOT conduct social engineering in any form of Secret Service personnel or contractors.
- You MUST NOT conduct testing which results in unsolicited messages or alerts targeting email, text messages, social media posts.
- You MUST NOT submit a high-volume of low-quality reports.
- If you find a vulnerability in a Secret Service information system consequent to a vulnerability in a generally available product, you MAY report the product vulnerability to the affected vendor or a third-party vulnerability coordination service to enable the product to be fixed.
- You MUST adhere to a 90-day disclosure deadline for known vulnerabilities. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the closest adjacent business day.
- You MUST adhere to a 7-day disclosure deadline for previously unknown and unpatched vulnerabilities.
- You MAY disclose to the public the prior existence of vulnerabilities already fixed by Secret Service, potentially including details of the vulnerability, indicators of vulnerability, or the nature (but not content) of information rendered available by the vulnerability. If you choose to disclose, you should do so in consultation with the Secret Service.
- You SHOULD strive to submit high-quality reports.
If at any point you are uncertain of whether to proceed with testing, please contact our team at email@example.com.
Reporting a Vulnerability
Please submit a report of the vulnerability to firstname.lastname@example.org. We do not support PGP-encrypted emails for vulnerability reports.
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
The following information must be submitted to report a vulnerability.
- Where the vulnerability was found (examples may be a hostname, URL, IP address, or radio frequency band).
- Description of the vulnerability.
- Detailed description of the steps needed to reproduce the vulnerability (links to proof of concept scripts or screenshots are helpful).
- Potential impact to a system or site.
- Recommended remediation actions
Researchers are encouraged to provide contact information for continued discussion. However, vulnerabilities may be reported anonymously. Researchers who submit vulnerability reports anonymously will not receive confirmation their vulnerability report was received, the Secret Service validated their findings, or the outcome of remediation activities.
The Secret Service takes every disclosure seriously, and very much appreciate your efforts. We are committed to coordinating with you as openly and expeditiously as possible. The contents of information provided in the reports and follow-up communications are processed and stored on a U.S. Government information system. You can expect us to do the following:
- The Secret Service SHALL investigate every reported vulnerability and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
- If you opt to provide your contact information, the Secret Service team MAY contact you for further information.
- The Secret Service SHALL, to the best of our ability, validate the existence of the vulnerability.
- The Secret Service MAY disclose to the public the prior existence of vulnerabilities remedied by us, potentially including details of the vulnerability such as the indicators of vulnerability, or the nature (but not content) of information rendered available by the vulnerability.
- If the Secret Service chooses to publicly disclose your reported vulnerability, we SHALL recognize your contribution as it must pertain to improving our security, the first to report a unique vulnerability, and if your report triggers a code or configuration change.
- In the event you report a vulnerability pertaining to a generally available product, the Secret Service SHALL validate the vulnerability pertaining to the identified product is legitimate and that it is a product used within our environment. After those factors are verified, the Secret Service MAY report the product vulnerability to the affected vendor or to a third-party vulnerability coordination service.
- The Secret Service SHALL NOT forward your name and contact information to any affected vendors unless otherwise requested by you.
- The Secret Service MAY NOT disclose information provided by any vendor unless the vendor explicitly states to do so.
- If you opt to provide your contact information, the Secret Service SHALL request 30 days to acknowledge receipt of the report and validation of its findings.
- If you opt to provide your contact information, the Secret Service SHALL notify you that the vulnerability was remediated no later than 30 days after remediation activities are completed.
- The Secret Service MAY consult with you and any affected vendors to determine our public disclosure plans of the vulnerability.
- In cases where a product is affected and the vendor is unresponsive, or fails to establish a reasonable timeframe for remediation, the Secret Service MAY disclose product vulnerabilities 45 days after the initial contact is made, regardless of the existence or availability of patches or workarounds from affected vendors.
If a researcher complies with this policy in conducting vulnerability discovery activities, the Secret Service will consider those activities to be authorized. If researchers conduct vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, the Secret Service Chief Information Officer will not initiate or recommend any law enforcement or civil actions related to such activities.
The Secret Service does not authorize, permit, or otherwise allow (expressly or implicitly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. Any activities that are inconsistent with this policy or the law may lead to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Secret Service entity (e.g., other Federal departments or agencies; State, local, or Tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), those third parties may independently determine whether to pursue legal action or remedies related to such activities.
Actions taken in accordance with this policy will not shield an individual from prosecution for any previous or future violations of the law.
Modification or Termination of this Policy
The Secret Service may modify the terms of this policy or suspend this policy at any time without prior notice.
Questions regarding this policy may be sent to email@example.com. We also invite you to contact us with suggestions for improving this policy.