Public Exposure of NASA Center Staff Contact Information (ARC, AFRC, GRC)

Disclosed by
govindpratapsingh
Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program

This is meant to be public

Summary by govindpratapsingh

Public Exposure of NASA Center Staff Contact Information (ARC, AFRC, GRC)

Summary:
During open‑source research, I discovered a publicly accessible PDF document on the official NASA website that listed employee names, direct dial phone numbers, and @nasa.gov email addresses for three NASA centers (ARC, AFRC, GRC). No authentication was required to access the file.

Impact:
This information was available to any external party, including malicious actors, creating a risk of spear‑phishing, social engineering, and identity exposure of NASA staff.

Resolution:
I reported this through Bugcrowd’s VDP. NASA’s team evaluated the finding as Informational (P5) and accepted it as a security best‑practice awareness issue. They acknowledged the recommendation to conduct a PII audit to prevent future occurrences.
I selected Limited visibility, so only this summary is public – no internal comments or attachments are shared.

Activity