Department of the Treasury: Vulnerability Disclosure Program

Submit your report here!

Submit report

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 48
  • Validation within 1 day 75% of submissions are accepted or rejected within 1 day

Latest hall of famers

View all 64

Recently joined this program

102 total

Introduction

The Department of the Treasury (Treasury) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey preferences for how to submit discovered vulnerabilities to Treasury.

Security researchers should feel comfortable reporting vulnerabilities discovered, as defined in this policy, to afford Treasury the opportunity to remediate the findings for the purpose of ensuring confidentiality and keeping Treasury’s information safe.

This policy describes what systems and types of research are covered under this policy, how to send Treasury vulnerability reports, and how long Treasury asks security researchers to wait before publicly disclosing vulnerabilities.

Authorization

If you make a good faith effort to comply with this policy during your security research, Treasury will consider your research to be authorized, work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, Treasury will make this authorization known.

Guidelines

Security researchers shall:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command-line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must immediately stop your test and notify us.
Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified Treasury. For details, please review Coordinated Disclosure.

Treasury is committed to acknowledging receipt of the report within two business days.

Scope

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

Learn more about Bugcrowd’s VRT.