National Labor Relations Board: Vulnerability Disclosure Program

The National Labor Relations Board (“NLRB”) is committed to maintaining the security of all of our systems, including our electronic information systems, and protecting sensitive information from unauthorized disclosure.

This policy identifies certain information systems and types of security research implicated by federal Coordinated Vulnerability Disclosure (CVD) methodologies for cybersecurity risk management programs. It also describes how vulnerability reports should be forwarded to the Agency, and how long the Agency asks security reporters to wait before publicly disclosing vulnerabilities.

We encourage security researchers to contact us to report potential vulnerabilities identified in NLRB systems. For reports submitted in compliance with this policy, the NLRB will acknowledge receipt within three business days, endeavor to timely validate submissions, implement corrective actions if appropriate, and inform submitters of the disposition of reported vulnerabilities.

As a general policy, without specific promise or consideration, the Agency will consider reports received under the steps and procedures outlined herein to be evidence of good faith efforts to assist and comply with Agency vulnerability priorities and will make reasonable efforts to resolving reported issues without the recommendation of legal action. This statement does not constitute a waiver of any right or obligation on the part of the United States or the National Labor Relations Board.

Guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential cybersecurity issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.
• Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Methods

Security researchers are not authorized to:

• test any system other than the systems set forth in the ‘Scope’ section below,
• disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability and ‘Disclosure’ sections below,
• engage in physical testing of facilities or resources,
• engage in social engineering,
• send unsolicited electronic mail to NLRB users, including “phishing” messages,
• execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
• introduce malicious software,
• test in a manner which could degrade the operation of NLRB systems; or intentionally impair, disrupt, or disable NLRB systems,
• test third-party applications, websites, or services that integrate with or link to or from NLRB systems,
• delete, alter, share, retain, or destroy NLRB data, or render NLRB data inaccessible, or,
• use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on NLRB systems, or “pivot” to other NLRB systems.

Security researchers may:

• view or store NLRB nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security researchers must:

• cease testing and notify us immediately upon discovery of a vulnerability,
• cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
• purge any stored NLRB nonpublic data upon reporting a vulnerability.