Equal Employment Opportunity Commission: Vulnerability Disclosure Program

This policy provides a standard Equal Employment Opportunity Commission (EEOC), Office of the Information Technology (OIT) in support of the Commission’s commitment to protecting unwarranted disclosure of information. This policy describes which EEOC information systems (IS) are within the scope and defines accepted cybersecurity (CS) research that is covered under this policy, including how to send EEOC vulnerability reports, and how long we ask security researchers to delay publicly disclosing vulnerabilities. EEOC expects that the VDP will provide an independent assessment of the domain’s security and defense measures by potentially identifying vulnerabilities not found by existing penetration-team and automated efforts, non-compliance with cybersecurity guidance as well as training deficiencies. This policy is presented to ensure acceptance and acknowledgment of the existence of potential vulnerabilities, their assessment for security research purposes as well as the process in which they are to be provided to the Commission.