Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Introduction

The Department of Education's (Department) stated mission is, "to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access."

This Vulnerability Disclosure Policy (VDP) describes the activities that can be undertaken by security researchers to find and report vulnerabilities in internet-accessible systems and services in a legally authorized manner. Security researchers can be any persons of any age or affiliation located anywhere in the world. This policy is effective as of March 1, 2021.

Authorization

The Department is authorized to develop and publish the VDP based on the Department of Homeland Security (DHS) issued Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure policy, dated September 2nd 2020, and Office of Management and Budget (OMB), issued M-20-32 [PDF, 4.6MB], Improving Vulnerability Identification, Management, and Remediation, dated September 2nd 2020, which together mandate that agencies develop and publish a VDP for their internet-accessible systems and services while maintaining processes to support their VDP.

Overview

Vulnerability disclosure is the "act of initially providing vulnerability information to a party that was not believed to be previously aware." The individual or organization that performs this act is called the reporter or security researcher.

The Department recognizes that cultivating a close relationship with security researchers will help improve security. If security researchers have information about a vulnerability in a Department internet-accessible system or service, the Department requests to be informed as soon as possible.

Information submitted to the Department under the VDP will be used to mitigate or remediate internet-accessible systems and services vulnerabilities, or vendor's internet-accessible systems or services. Vulnerabilities found in non-federal vendor internet-accessible systems and services fall outside of this policy's scope and should be reported directly to the vendor according to the vendor's disclosure policy (if applicable).

Please review, understand, and agree to the guidelines below before conducting any research of the Department's internet-accessible systems or services, and before submitting a report.

Scope

All internet-accessible, public facing, systems or services of the Department are covered within the scope of the VDP.

Guidelines

Under the VDP, "research" activities require that:

  • Once a vulnerability is discovered or sensitive data (including personally identifiable information (PII) 1, financial information, or proprietary information or trade secrets of any party) is identified, the security researcher stop testing and notify the Department immediately
  • If PII is discovered, the security researcher indicates the type of PII in the report (i.e., SSN, name, address, etc.). Do not submit specific PII information with the reported vulnerability. If contact information is provided, the Department may follow up with an e-mail from OCIO_VDP@ed.gov for any further information.
  • Security researchers shall report potential vulnerabilities identified in Department systems via e-mail: OCIO_VDP@ed.gov. Submissions may be provided anonymously but contact information may be requested for follow up. For reports submitted in compliance with this policy, the Department will acknowledge receipt within three (3) business days. The Department will attempt to timely validate and triage submissions, implement corrective actions if appropriate, and inform security researchers of the disposition of reported vulnerabilities.
  • Security researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Security researchers must only use exploits to the extent necessary to confirm a vulnerability's presence. Security researchers must not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Security researchers provide the Department a reasonable amount of time (90 calendar days) to resolve the issue before disclosing it publicly.
  • Security researchers should not submit a high volume of low-quality reports.
  • Security researchers may not send encrypted emails at this time.

What Security Researchers Should Expect from the Department

The Department commits to coordinating with security researchers who choose to share their contact information as openly and as quickly as possible.

  • The Department will acknowledge that a report has been received within three (3) business days.
  • The Department will, to the best of its ability, confirm the existence of the vulnerability to the security researcher and be as transparent as possible about what steps are being taking during the remediation process, including any issues or challenges that may delay resolution.
  • The Department will maintain an open dialogue to discuss issues.

Testing Methods

Security researchers must not:

  • Test any system other than the systems set forth in the 'Scope' section above.
  • Disclose vulnerability information except as set forth in the 'Reporting a Vulnerability' and 'Disclosures' sections below.
  • Engage in physical testing of facilities or resources.
  • Engage in social engineering.
  • Send unsolicited electronic mail to the Department users, including "phishing" messages.
  • Disclose any PII found to any third party.
  • Execute or attempt to execute "Denial of Service (DOS)", Distributed Denial – of – Service (DDoS) or "Resource Exhaustion" attacks.
  • Introduce malicious software.
  • Test in a manner which could degrade the operation of the Department systems.
  • Intentionally impair, disrupt, or disable the Department systems.
  • Test third-party internet-accessible systems or services that integrate with or link to or from Department systems.
  • Delete, alter, share, retain, or destroy the Department data, or render the Department data inaccessible.
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on the Department systems, or "pivot" to other Department systems.

Security researchers should:

  • Terminate testing and notify the Department immediately upon discovery of a vulnerability.
  • Terminate testing and notify the Department immediately upon discovery of an exposure of nonpublic data.

Reporting a Vulnerability

Security researchers' reports are accepted via electronic mail to OCIO_VDP@ed.gov. Do not submit report via encrypted emails. Acceptable e-mail message formats are plain text, rich text, and HTML. Submissions must include:

  • A description of the vulnerability found by the security researcher.
  • The date the vulnerability was discovered.
  • Identification of the vulnerability's location and the potential impact.
  • Technical information needed to reproduce the vulnerability (Scripts or exploit code should be embedded into non-executable file types. The Department can process all common file types, and file archives including zip, 7zip, and gzip).

Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names. Reports may include proof-of-concept code or screenshots that demonstrate exploitation of the vulnerability.

By submitting a report to the Department, security researchers represent that, to the best of their knowledge, the report and any attachments do not violate the intellectual property rights of any third party and the submitter grants the Department a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, or create derivative works, and publish the report and any attachments.

Security researchers may submit reports anonymously or security researchers may provide contact information, and any preferred methods or times of day to communicate, as they see fit. The Department may contact security researchers to clarify reported vulnerability information or other technical interchange.

Disclosures

The Department is committed to the timely correction of vulnerabilities. However, it is recognized that the public disclosure of a vulnerability in the absence of a readily available corrective action likely increases risk rather than decreases risk. Accordingly, the Department requests that security researchers refrain from sharing information about discovered vulnerabilities for ninety (90) calendar days after receiving an acknowledgement of receipt for the vulnerability from the Department via an email from OCIO_VDP@ed.gov.

If a security researcher believes others should be informed of the vulnerability prior to the implementation of corrective actions, the Department requires advanced coordination with the security researcher. The Department pledges to be as transparent as possible with security researchers about what steps are being taken during the remediation process to address the vulnerabilities brought to the Department's attention.

The Department may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. Names or contact data of security researchers will not be shared unless the Department has been given explicit permission to do so.

Recognition and Rewards

The Department will provide a Certificate of Recognition to the security researcher for their good-faith effort participation in the VDP. The Department does not offer any monetary reward for their submission of vulnerabilities.

Legal Exposure

Security researchers must comply with all applicable federal, state, and local laws in connection with security research activities or other participation in the VDP. The Department does not authorize, permit, or otherwise allow (expressly or implied) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with the VDP or the law.

Security researchers may be subject to fines, imprisonment, or other penalties if they engage in any activities in violation of the VDP or the law, including unauthorized attempts to access, obtain, upload, modify, change, and/or delete information on this system, which are strictly prohibited and are subject to criminal prosecution under 18 U.S.C § 1030. For purposes of the VDP, unauthorized access includes, but is not limited to any access by an employee or agent of a commercial entity, or other third party, who is not the individual user of the application described in the "Scope" above, for purposes of commercial advantage or private financial gain.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Department entity (e.g., other federal departments or agencies; state, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), those third party partners may independently determine whether to pursue legal action or remedies related to such activities.

For those security research activities conducted in accordance with the restrictions and guidelines set forth in this policy, and that the Department concludes a representation of a good faith effort to follow this policy, the Department will deem such activities authorized and (1) will not recommend or pursue legal action, and (2) in the event of legal action initiated by a third party against you, the Department will make its authorization known.

The Department may modify the terms of the VDP or terminate the VDP at any time in its sole and absolute discretion. This policy is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the Department or related entities, its officers, employees, or agents, or any other person.

Questions

Questions regarding this policy may be sent to OCIO_VDP@ed.gov. The Department also welcomes contact from readers with suggestions for improving this policy.

Acronyms

ACRONYMMEANING
CISACybersecurity and Infrastructure Security Agency
DOSDenial of Service
DDoSDistributed Denial - of - Service
IASInformation Assurance Services
OCIOOffice of the Chief Information Officer
PIIPersonally identifiable information
VDPVulnerability Disclosure Policy

References

REFERENCE NAMES
  • OMB M-19-02 - Year 2018-2019 Guidance on Federal Information Security and Privacy
  • OMB M-20-32 - Improving Vulnerability Identification, Management, and Remediation
  • DHS Binding Operational Directive (BOD 20-01), "Develop and Publish a Vulnerability Disclosure Policy."
  • NIST - Framework for Improving Critical Infrastructure Cybersecurity
  • NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Document Change History

VERSIONDATEDESCRIPTION
1.0March 1, 2021First issuance.
1.1April 28, 2021Revision
2.0May 28, 2021Expanded scope to all internet-accessible, public facing, systems and services.
Updated reporting method to include Microsoft Forms link
3.0May 05, 2023Included Certificate of Recognition, removed MS Forms link, and minor edits

1 According to NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.