Department of Veterans Affairs

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 120
  • Validation within about 5 hours 75% of submissions are accepted or rejected within about 5 hours

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.


The Department of Veterans Affairs (VA) is charged with providing health care and benefits to support Veterans and members of their families.
VA is committed to ensuring the integrity of its information by securing its information systems. A vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” This Vulnerability Disclosure Policy (VDP) is meant to address some of the possible apprehensions and explain what research would be authorized under this VDP. Good faith research that conforms to these guidelines is considered authorized research. The Department will focus on quickly working to resolve the vulnerability you have identified and is not interested in pursuing legal action when there is authorized research under this policy.
This policy describes what systems and types of research are covered under this policy, how to report the vulnerability, how long VA asks security researchers to wait before publicly disclosing vulnerabilities and what communication or response to expect from the Department.
The Department encourages security researchers to contact us to report potential vulnerabilities in VA systems.

These Guidelines Require that You/a Researcher:

  • Access a VA information system in a way that follows this VDP.
  • If you discovered a vulnerability, reported it by following the instructions in this VDP.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Limit the use of discovered exploits to the extent necessary to confirm a vulnerability’s presence.
  • Do not use an exploit to compromise or exfiltrate data, establish command-line access and/or persistence, or use the exploit to pivot to other systems.
  • Provide VA a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality vulnerability reports.

If you established that a vulnerability or security weakness exists or encounter any sensitive data or data belonging to individuals with their financial information, medical information, contract information or proprietary information which might be a trade secret, you must stop your test, notify VA immediately, and not disclose this data to anyone else.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.