The U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) is committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure.
This policy describes what systems and types of security research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage security researchers to contact us to report potential vulnerabilities identified in PCLOB systems. For reports submitted in compliance with this policy, the PCLOB will acknowledge receipt within three business days, endeavor to timely validation of submissions, implement corrective actions if appropriate, and inform researchers of the disposition of reported vulnerabilities.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
Security researchers must not:
- Test any system other than the systems set forth in the “Scope” section below,
- Disclose vulnerability information except as set forth in the “Reporting a Vulnerability” and “Disclosure” sections below,
- Engage in physical testing of facilities or resources,
- Engage in social engineering,
- Send unsolicited electronic mail to PCLOB users, including “phishing” messages,
- Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- Introduce malicious software,
- Test in a manner which could degrade the operation of PCLOB systems; or intentionally impair, disrupt, or disable PCLOB systems,
- Test third-party applications, websites, or services that integrate with or link to or from PCLOB systems,
- Delete, alter, share, retain, or destroy PCLOB data, or render data inaccessible, or,
- Use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on PCLOB systems, or “pivot” to other PCLOB systems.
Security researchers may:
- View or store PCLOB nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must:
- Cease testing and notify us immediately upon discovery of a vulnerability,
- Cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
- Purge any stored PCLOB nonpublic data upon reporting a vulnerability.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.