National Science Foundation - Vulnerability Disclosure Program

  • Safe harbor

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 94
  • Validation within about 21 hours 75% of submissions are accepted or rejected within about 21 hours

Recently joined this program


The National Science Foundation (NSF) is an independent federal agency whose mission is "to promote the progress of science; to advance the national health, prosperity, and welfare; to secure the national defense..." NSF funds approximately 25 percent of all federally supported basic research conducted by America's colleges and universities.

Protecting information is integral to the NSF mission. NSF has a proactive structure to communicate about and implement NSF's Information Technology (IT) security and privacy program objectives and agency-wide initiatives. NSF aligns security and privacy program activities with industry standards and best practices. NSF is also committed to ensuring the security of the American public by protecting their information.

NSF welcomes the research and assessment of potential vulnerabilities from independent researchers. In compliance with the U.S. Department of Homeland Security Binding Operational Directive 20-01, Develop and Publish a Vulnerability Policy (September 2, 2020), the NSF Vulnerability Disclosure Policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities about NSF, and to convey NSF preferences in how to submit discovered vulnerabilities to NSF.

NSF's Vulnerability Disclosure Policy describes:

  • What systems and types of research are covered under the policy
  • How to send vulnerability reports to NSF
  • How long security researchers are asked to wait before publicly disclosing vulnerabilities

NSF encourages the public to use the processes described in this policy to report potential vulnerabilities in its systems.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.