National Park Service

The Department of the Interior (DOI), of which the National Park Service is a bureau, is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems. Use this form to report vulnerabilities to National Park Service systems.

Guidelines

You MUST read and agree to abide by the guidelines in this policy for conducting security research and disclosure of vulnerabilities or indicators of vulnerabilities related to NPS information systems. We will presume you are acting in good faith when you discover, test, and submit reports of vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

• You MAY test internet-accessible NPS information systems to detect a vulnerability or identify an indicator related to a vulnerability for the sole purpose of providing NPS information about such vulnerability.
• You MUST avoid harm to NPS information systems and operations.
• You MUST NOT exploit any vulnerability beyond the minimal amount of testing required to prove that the vulnerability exists or to identify an indicator related to that vulnerability.
• You MUST NOT intentionally access the content of any communications, data, or information transiting or stored on NPS information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
• You MUST NOT exfiltrate any data under any circumstances.
• You MUST NOT intentionally compromise the privacy or safety of NPS personnel (e.g., civilian employees) or any legitimate third parties.
• You MUST NOT intentionally compromise the intellectual property or other commercial or financial interests of any NPS personnel or entities or any legitimate third parties.
• You MUST NOT disclose any details of any extant NPS information system vulnerability or indicator of vulnerability to any party not already aware at the time the report is submitted to NPS.
• You MUST NOT create user (or any) accounts on NPS systems for testing.
• In the event that you find a vulnerability in a NPS information system consequent to a vulnerability in a generally available product, you MAY report the product vulnerability to the affected vendor or a third party vulnerability coordination service in order to enable the product to be fixed.
• You MUST NOT disclose any incidental proprietary data revealed during testing or the content of information rendered available by the vulnerability to any party not already aware at the time the report is submitted to NPS.
• You MUST NOT cause a denial of any legitimate services in the course of your testing.
• You MUST NOT conduct social engineering in any form of NPS personnel or contractors.
• You SHOULD strive to submit high-quality reports.
• You MUST NOT submit a high-volume of low-quality reports.
• You MUST comply with all applicable Federal, State, and local laws in connection with security research activities or other participation in this vulnerability disclosure program.

Security researchers must:

• Cease testing and notify us immediately upon discovery of a vulnerability.
• Cease testing and notify us immediately upon discovery of an exposure of nonpublic data.
• Purge any stored NPS nonpublic data upon reporting a vulnerability.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.