What does Responsible Disclosure mean?
The District of Columbia Government Workforce, Residents, and External parties play an integral role in protecting the public’s information, including financial and personal information, from unwarranted disclosure. District Workforce, Residents, and External parties should have a method to report vulnerabilities they discover. Responsible Disclosure applies to all District workforce that have access to servers, workstations, laptops, tablets, smartphones, network -- used to conduct official District government business or interact with internal networks and business systems, whether owned or leased by the District Government, the employee, or a third party.
Authorized Testing and Research.
All testing and research into District IT systems shall be coordinated through the District Agency CIO and OCTO.
Unauthorized Testing and Research.
Testing or research not specifically authorized by OCTO and the specific District Agency on the part of the District Workforce, Residents, and External parties is disallowed and may result in privacy violations, degradation of user experience, disruption to production systems and destruction or manipulation of data.
Coordinated Disclosure
OCTO is committed to patching vulnerabilities as outlined in the District Patch Management Policy
Vulnerability Reporting.
When vulnerabilities are discovered, District Agencies and workforce are required to report the findings to OCTO.
DC Government Agencies are to report all critical findings and/or vulnerabilities on the DC Government network to OCTO through the Security Operations Center, [email protected]. Upon receipt of a vulnerability report, the OCTO Chief Information Security Officer (“CISO”) will acknowledge receipt of the report. The OCTO CISO and Security Operations Center (“SOC”) Manager will contact the affected District Agency Chief Information Officer (“CIO”) to begin remediation efforts.
DC Residents and external Parties* should report findings and vulnerabilities to one of the following public channels:
- Contact OCTOHelps at (202) 671-1566.
- Email [email protected]
*District Residents, visitors and External parties shall have no expectation of further communication of remediation efforts once reported.
For general questions concerning Governance, Risk and Compliance in the District of Columbia, please contact OCTO’s GRC officers at [email protected].