Vulnerability Disclosure Policy
The Farm Credit System Insurance Corporation (FCSIC) is issuing this Vulnerability Disclosure Policy (VDP or policy) under the Department of Homeland Security Directive 20-01 to give security researchers guidelines for conducting vulnerability discovery activities and for reporting vulnerabilities to us.
We are committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure, and we encourage security researchers to contact us to report potential vulnerabilities in our systems. Pursuant to the Binding Operational Directive (BOD), all good faith reporters will be treated the same way under this policy.
A vulnerability (PDF) is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability disclosure is the act of initially providing vulnerability information to us that you believe we are not aware of. The individual or organization that performs this act is called the reporter or researcher.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
Please send any questions regarding this policy, or recommendations for improving it, to [email protected].
-
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and FCSIC will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
-
Under this policy, “research” means activities in which you:
- Do not test any system other than the systems set forth in the “Scope” section below.
- Do not disclose vulnerability information except as described below under “Reporting a Vulnerability” and “Disclosure.”
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and refrain from disclosing this data to anyone else.
-
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests
- Testing activities that could potentially impair access to or damage a system or data
- Deleting, altering, sharing, retaining, or destroying FCSIC data
- Exploits related to exfiltrating data, establishing command line access, establishing a persistent presence on FCSIC systems, or pivoting to other FCSIC systems
- Physical testing (e.g., office access, open doors, tailgating)
- Social engineering (e.g., phishing, vishing, whaling) or any other nontechnical vulnerability testing
- Use of malicious software
- Tests of third-party applications, websites, or services that integrate with or link to or from FCSIC systems
- Any testing activity that could reasonably be considered a malicious attack
- No testing method may disclose to a third party any personally identifiable information discovered.
No testing method may disclose to a third party any personally identifiable information discovered.
-
This policy applies to the following systems and services:
Any service not listed above, such as any connected services, are excluded from scope and are not authorized for testing. Also, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to the vendor’s disclosure policy (if any).
If you aren’t sure whether a system is in scope, contact us at [email protected] before starting your research (or at the security contact for the system’s domain name listed at .gov WHOIS).
Although we develop and maintain other internet-accessible systems and services, active research and testing may be conducted only on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
-
To submit a vulnerability report, send it to [email protected]. Be sure to encrypt or redact reports and screenshots concerning sensitive or personally identifiable information. Note: We do not support PGP-encrypted emails. If you believe it is necessary to share sensitive information with us, please indicate this on the report; we will reach out to provide a more secure method.
You may submit reports anonymously. However, if you do share your contact information, we will be able to send you an acknowledgement receipt. We may also later decide to provide you information on remediation steps we took in response to your report (see “What you can expect from us” below).
FCSIC does not issue payments for vulnerability reports. By submitting a vulnerability report to FCSIC, you acknowledge that you have no expectation of payment and that you expressly waive any future remuneration claims against the U.S. government related to your submission.
By submitting a vulnerability report, you also warrant that the report and any attachments do not violate the intellectual property rights of any third party.
What reports should include
- A description of where the vulnerability was discovered and the potential impact of its exploitation.
- A detailed description of the steps needed to reproduce the vulnerability (screenshots are helpful). Note: Do not send proof-of-concept code that demonstrates exploitation of the vulnerability, or any executable files.
- The date and time (indicating the time zone) the vulnerability was discovered.
- Acknowledgement that the report is voluntarily submitted and no remuneration is expected.
We prefer that reports be in English, if possible.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you openly and within a reasonable timeframe.
- Within five business days, we will acknowledge that your report has been received unless we determine your report is not pertinent to the scope of this policy (e.g., it is spam, product promotion, or marketing), in which case no acknowledgement will be provided.
- To the best of our ability, we will provide you with confirmation of whether the vulnerability exists, and we will be as transparent as possible about the steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We pledge to be as transparent as possible about how we treat vulnerability reports but cannot promise to give individual responses in all instances.
-
FCSIC is committed to correcting vulnerabilities in a timely manner, but these corrections often require some time to develop and implement. To reduce the risk of exploitation of vulnerabilities, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days from the date you receive notice from us that we’ve received your report. If you believe others should be informed of the vulnerability before we have implemented corrective actions, we ask that you coordinate in advance with us.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency, as well as any affected vendors. We will not share names or contact data of security researchers unless you give us explicit permission.
-
Version Date Description 1.0 March 1, 2021 First issuance