EPA is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as described in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and EPA will not recommend or pursue legal action related to your research.
Disclosure of vulnerabilities is completely voluntary. In no case shall disclosure of vulnerability information to the EPA constitute a contractual or any other type of relationship with the EPA. By submitting a vulnerability, the researcher acknowledges that, there is no expectation of payment for these services and waives any future payment claims against the U.S. Government related to the submission.
We request that you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Do not submit a high volume of low-quality reports.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.