Department of Veterans Affairs
The Department of Veterans Affairs (VA) is charged with providing health care and benefits to support Veterans and members of their families.
VA is committed to ensuring the integrity of its information by securing its information systems. A vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” This Vulnerability Disclosure Policy (VDP) is meant to address some of the possible apprehensions and explain what research would be authorized under this VDP. Good faith research that conforms to these guidelines is considered authorized research. The Department will focus on quickly working to resolve the vulnerability you have identified and is not interested in pursuing legal action when there is authorized research under this policy.
This policy describes what systems and types of research are covered under this policy, how to report the vulnerability, how long VA asks security researchers to wait before publicly disclosing vulnerabilities and what communication or response to expect from the Department.
The Department encourages security researchers to contact us to report potential vulnerabilities in VA systems.
These Guidelines Require that You/a Researcher:
- Access a VA information system in a way that follows this VDP.
- If you discovered a vulnerability, reported it by following the instructions in this VDP.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Limit the use of discovered exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not use an exploit to compromise or exfiltrate data, establish command-line access and/or persistence, or use the exploit to pivot to other systems.
- Provide VA a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality vulnerability reports.
If you established that a vulnerability or security weakness exists or encounter any sensitive data or data belonging to individuals with their financial information, medical information, contract information or proprietary information which might be a trade secret, you must stop your test, notify VA immediately, and not disclose this data to anyone else.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.