Approved Date – 02/22/2021
Published Date – 02/22/2021
Reviewed Date – 03/13/2023
Establish general guidelines and expectations for vulnerability reporting in the event of vulnerabilities discovered in the process of a good faith research conducted by security researchers on the district’s systems and network.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to independent security researchers and enthusiasts that abided by ethical practices and conduct.
As part of the District Governments effort to maintain the security of its systems and the protection of sensitive information from unauthorized disclosure, the District Government has developed this policy to provide an appropriate guidance on potential security research on the DC Government Systems, Domains, and network. All Security Researchers must conduct their research in good faith in order to be considered as being compliant with this policy.
The following requirements are addressed in this policy:
- Reporting a Vulnerability,
- Disclosing a Vulnerability,
- Vulnerability Testing Criteria
- Authorized Systems, domains, and services for Security Research
4.1. Reporting a Vulnerability
Whenever vulnerabilities are discovered, they must be reported to the District/OCTO through the avenues listed below.
4.1.1. Details of the Vulnerability Report:
To help OCTO SOC triage and prioritize submissions, Security Researchers are recommended in their report, to:
- Provide their contact details.
- Describe when the vulnerability was discovered, its location, and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots (if they don’t contain sensitive data) are helpful).
- Provide a mitigation recommendation and include any related technical information.
- Relevant images e.g., screen captures, and other documents may be attached to the report. Please give attachments illustrative names.
- Include proof-of-concept code that demonstrates exploitation of the vulnerability if available (It is recommended that any scripts or exploit code be embedded into non-executable file types. All common file types and file archives including zip, 7zip, and gzip can be processed.)
- Be in English, if possible.
Vulnerability reports can be submitted with the researcher’s contact information and at any time of the day. The security researcher may be contacted to clarify reported vulnerability information or other technical interchange.
Security researchers must contact the Office of the Chief Technology Officer (OCTO) to report potential vulnerabilities identified in DC Government systems and network and refrain from disclosing such vulnerabilities publicly before they have been properly remediated. The acceptable message formats are plain text, rich text, and HTML.
Reports are required to be submitted through the following mediums:
All vulnerability reports sent to any of the two locations above must be encrypted a minimum of AES 256 bits.
By submitting a report to the District Government through OCTO, researchers warrant that the report and any attachments do not violate the intellectual property rights of any third party and that the submitter grants the District Government a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.
4.1.2. What you can expect from District Government/OCTO
For reports submitted in compliance with this policy, OCTO must:
- acknowledge receipt within three business days,
- endeavor to timely validate submissions,
- implement corrective actions if appropriate, and
- inform researchers of the disposition of reported vulnerabilities.
Every security research conducted in good faith and reported, following the guidelines stated in this policy, will be considered as authorized. OCTO will work with the security researcher to understand and resolved the reported vulnerabilities quickly.
4.2. Disclosing a Vulnerability
4.2.1. The District Government is committed to timely correction of vulnerabilities. However, it is well known that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, the District Government requires that the security researchers refrain from disclosing vulnerabilities until after they have received a confirmation of the completion of vulnerability remediation through OCTO. If the security researchers believe others should be informed of the vulnerability prior to the District Government’s implementation of corrective actions, the District Government requires that they coordinate in advance with OCTO.
4.2.2. The District Government may share vulnerabilities reports with the Cybersecurity and Infrastructure Security Agency (CISA), other U.S. Government Agencies as required by law or as deem necessary and as well as any affected vendors. The names and contact details of the security researchers shared with the District Government must not be shared publicly or with any other party without the explicit permission of the Security Researcher or if required by law.
4.2.3. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If the findings include newly discovered vulnerabilities that affect all users of a product or service and not solely the District Government, those findings may be shared with the CISA, where they will be handled under CISA’s coordinated vulnerability disclosure process. They may also be shared with other U.S. Government entities if required by law or regulation.
4.2.4. Security research that complies with this policy will not result in any legal persecution of the security researcher.
4.2.5. Should legal action be initiated by a third party against the security researchers for activities that were conducted in accordance with this policy, the District Government/OCTO will make its authorization known to such third party
4.3. Vulnerability testing criteria
4.3.1. Security researchers must not:
- Test any system other than the systems set forth in the ‘Authorized Systems, domains and services for Security Research’ section below
- Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections above,
- Unless explicitly authorized by the District of Columbia Government, the following engagements are prohibited:
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send unsolicited electronic mail to District Workforce users, including “phishing” messages,
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- introduce malicious software,
- test in a manner which could degrade the operation of the District Government systems; or intentionally impair, disrupt, or disable its systems,
- test third-party applications, websites, or services that integrate with or link to or from District Government systems, delete, alter, share, retain, or destroy District Government’s data, or render its data inaccessible, or use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on the District Government’s systems, or “pivot” to other of its systems.
4.3.2. Security researchers may:
View or store (encrypted) the District Government’s nonpublic data only to the extent necessary to document the presence of a potential vulnerability. Such data should not be released to the public outside of the scope of the vulnerability itself.
4.3.3. Security researchers must:
- cease testing and notify OCTO immediately upon discovery of a vulnerability,
- cease testing and notify OCTO immediately upon discovery of an exposure of nonpublic data, and,
- purge any stored District Government’s nonpublic data upon reporting a vulnerability.
4.4. Authorized Systems, domains, and services for Security Research
District Government’s public facing, applications, and services.
[Note: vulnerabilities found on platforms hosted by vendors could be subject to hosting providers disclosure policy].
The definition of terms used in this document can be found in the Policy Definitions website.