Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
This is meant to be public
This is meant to be public
Public Exposure of NASA Center Staff Contact Information (ARC, AFRC, GRC)
Summary:
During open‑source research, I discovered a publicly accessible PDF document on the official NASA website that listed employee names, direct dial phone numbers, and @nasa.gov email addresses for three NASA centers (ARC, AFRC, GRC). No authentication was required to access the file.
Impact:
This information was available to any external party, including malicious actors, creating a risk of spear‑phishing, social engineering, and identity exposure of NASA staff.
Resolution:
I reported this through Bugcrowd’s VDP. NASA’s team evaluated the finding as Informational (P5) and accepted it as a security best‑practice awareness issue. They acknowledged the recommendation to conduct a PII audit to prevent future occurrences.
I selected Limited visibility, so only this summary is public – no internal comments or attachments are shared.