Summary by chirag8023
I discovered that multiple publicly accessible documents on NASA subdomains contained personally identifiable information (PII) of staff, collaborators, and stakeholders (names, emails, phone numbers, addresses). While the files were not hidden, they exposed sensitive contact details. I reported this exposure responsibly through Bugcrowd’s VDP so NASA could take corrective action.
The finding was made using only publicly available archival resources and manual inspection — no intrusive techniques.