Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To establish general guidelines and expectations for responsible vulnerability reporting in the District. All District agencies are responsible for protecting information from unauthorized disclosure and providing safe mechanisms for agencies to report vulnerabilities they discover for appropriate remediation.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
The District Workforce, Residents, and External parties play an integral role in protecting the public's information, including financial and personal information, from unwarranted disclosure. District Workforce, Residents, and External parties should have a method to report vulnerabilities they discover. This policy covers the types of research allowed, guidelines for publicly disclosing vulnerabilities, and instructions for reporting to OCTO through a centralized system.
4.1. Authorized Testing or Research
All testing or research into the District IT systems shall be coordinated through the District agency and OCTO.
4.2. Unauthorized Testing or Research
Testing or research not specifically authorized by OCTO and the specific District Agency on the part of the District Workforce, Residents, and External parties is disallowed and may result in privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
4.3. Coordinated Disclosure
OCTO is committed to patching vulnerabilities as outlined in the District Patch Management and Vulnerability Management Policies.
District Workforce and External parties who discover a vulnerability shall report the vulnerability following the process outlined in this document. They shall refrain from sharing the reporter's personally identifiable information ("PII") and other sensitive or confidential information with others.
District residents and visitors to the District's information technology systems, who discover a vulnerability, are encouraged to report the vulnerability following the process outlined in this document. They should refrain from sharing their PII and other sensitive or confidential information with others
By default, the District does not share vulnerabilities or mitigation efforts outside of the District, and we will never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted. Please check with us before self-disclosing your information.
4.4. Vulnerability Reporting
When vulnerabilities are discovered, District Agencies and the workforce should follow normal reporting processes. Residents and External parties may use one of the following methods to report:
4.4.1. Signal App account (202) 445-1726
4.4.2. WhatsApp account (202) 445-1726
4.4.3. Perrio App account ciso_dc
4.4.4. Disclosure email: [email protected]
4.5. Receipt of Vulnerability Report
Upon receipt of a vulnerability report, the OCTO Chief Information Security Officer ("CISO") will acknowledge receipt of the report. The OCTO CISO and Security Operations Center ("SOC") Manager will contact the affected District Agency Chief Information Officer ("CIO") to begin remediation efforts. District Residents, visitors, and External parties shall not expect further communication of remediation efforts.
4.6. Policy Maintenance
OCTO is responsible for the maintenance, administration, and publication of this policy. OCTO will annually review this policy and update it as needed to ensure the policy's technical relevance and regulatory compliance.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.