Vulnerability Disclosure Policy

POLICY

Subject: EQUAL EMPLOYMENT OPPORTUNITY COMMISSION (EEOC) VULNERABILITY DISCLOSURE PROGRAM (VDP)

Sponsor: OFFICE OF INFORMATION TECHNOLOGY (OIT)

1. EFFECTIVE DATE. This program shall become effective on February 15, 2021 and continue in effect until amended or retracted.

2. OVERVIEW. The security researcher community regularly makes valuable contributions to the security of organizations and the broader internet. The Vulnerability Disclosure Program (VDP) is the EEOC’s legal avenue for researchers to find and disclose vulnerabilities in EEOC public-facing systems. The program was the first of its kind for the EEOC. This clear guidance not only helps security researchers know how to test and disclose vulnerabilities in EEOC websites, but it also commits the EEOC to working transparently with the research community.

3. PURPOSE. This policy provides a standard Equal Employment Opportunity Commission (EEOC), Office of the Information Technology (OIT) in support of the Commission’s commitment to protecting unwarranted disclosure of information. This policy describes which EEOC information systems (IS) are within scope and defines accepted cybersecurity (CS) research that is covered under this policy, to include, how to send EEOC vulnerability reports, and how long we ask security researchers to delay publicly disclosing vulnerabilities. EEOC expects that the VDP will provide an independent assessment of the domain’s security and defense measures by potentially identifying vulnerabilities not found by existing penetration-team and automated efforts, non-compliance with cyber security guidance as well as training deficiencies. This policy is presented to ensure acceptance and acknowledgement of the existence of potential vulnerabilities, their assessment for security research purposes as well as the process in which they are to be provided to the Commission.

4. SCOPE. The following EEOC internet-accessible applications and systems are within the scope of this policy.

Any service not expressly listed below, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy, if any. If unsure whether a system or endpoint is in scope or not, contact EEOC by email with the subject Security Research Query at vdp.disclosure@eeoc.gov prior to beginning your research.

1. EEOC domains and subdomains that are within scope:
   • eeoc.gov
   • eeocdata.org
   • bi.eeoc.gov
   • eeotraining.eeoc.gov
   • ims.eeoc.gov
   • nxg.eeoc.gov
   • oig.eeoc.gov
   • publicportal.eeoc.gov
   • stage.oig.eeoc.gov
   • sts.eeoc.gov
   • surveys.eeoc.gov
   • uat-www.eeoc.gov
   • vpcmts.eeoc.gov
   • youth.eeoc.gov

Though we may develop and maintain other internet-accessible systems or services, EEOC requests that active research and testing only be conducted on the systems and services covered by the scope of this policy. If there is a particular system not in scope that is discovered and potentially merits testing, please contact EEOC to discuss it first.

5. ACTION. All citizens, researchers and EEOC Leadership shall ensure that staff are familiar with the following policies and guidelines, and that these are followed unless exceptions are formally approved.

1. We request that you:
   1. Notify the Commission upon initiating active security vulnerability research within our scope.
   2. Notify the Commission as soon as possible after you discover a real or potential security issue.
   3. Provide EEOC ninety days to resolve the issue before you disclose it publicly.
   4. Comply with Privacy laws, making every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
   5. Only use exploits to the extent necessary to confirm the presence of a vulnerability. Do not use or attempt to use an exploit to compromise or exfiltrate data, establish unauthorized access and/or persistence, or use the exploit to “pivot” to other systems.
   6. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information (PII), financial information, or proprietary information or trade secrets of any party within our domain(s)), you must cease your test, notify EEOC immediately, and not disclose this data to any other individuals or entities.
   7. Refrain from submission of misinformation or a high volume of low-quality reports.
   8. If at any point you are uncertain whether to continue testing, please engage our team.
   9. This is EEOC’s initial effort to create a positive feedback loop between researchers and EEOC – please be patient as we refine and update the process.
   10. Please review, understand, and agree to the following terms and conditions before conducting any testing of EEOC applications and before submitting a report.
2. Good-faith security research. We authorize good-faith research, that is consistent with accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public.
   1. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and EEOC will not recommend or pursue legal action related to your research.
3. Security research testing. The following test types are not authorized:
   1. Application, Network or IS denial of service (DoS or DDoS) tests.
   2. Physical testing (e.g. office access, open doors, tailgating).
   3. Social engineering (e.g. mishing, phishing, vishing), or any other non-technical vulnerability testing.
4. Please provide EEOC with fundamental elements of the vulnerability research, to include:
   1. Your name, contact information, any affiliations (i.e., academia, organization, personal interest).
   2. Research purpose, goal of research, research environment(s) (i.e., lab, home, public).
   3. Description of the vulnerability, where it was discovered, likelihood or the potential impact of exploitation.
   4. Specific asset(s), Internet protocol (IP) space, Operating system (OS), Application(s), software development coding or development activities affected.
   5. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, images or screenshots are helpful).
   6. Be presented in English, if possible.

6. ROLES AND RESPONSIBILITIES. VDP activities will be governed by the Office of the Information Technology (OIT) by delegation. Following briefing on the vulnerability as well as potential control measures, the CIO will be briefed and formally decide the outcome of each VDP risk decision or delegate this action to the appropriate directorate or staff.

7. FORMS/REPORTS. VDP reports will be generated monthly or as critical disclosure warrants reporting to OIT and as applicable, the Enterprise Risk Management (ERM) leadership. Upon review of the vulnerability and potential ensuing risk, a risk decision will be documented and executed accordingly. The Commission will engage external stakeholders accordingly to pursue the remediation of vulnerabilities. This includes contacting service providers, software vendors and federal partners while confirming the existence of the vulnerability.

8. REQUEST FOR CHANGES. The CIO, Deputy CIO, and Chief Information Security Officer (CISO) are the points of contact for questions and changes to this policy. Changes may be proposed in the same manner as described for proposal and adoption of policies; however, those which affect general OIT policy and operations should first be discussed with management staff.

9. QUESTIONS and FURTHER INFORMATION. Any questions about this policy should be directed to the EEOC Chief Information Security Officer, which can be directed to the VDP submission address at vdp.security@eeoc.gov. Any ethical questions should be directed to the Office of Legal Counsel (OLC) at OLC@eeoc.gov.

10. ENFORCEMENT: POLICY VIOLATIONS. Failure to adhere to this policy may result in reporting to Cybersecurity and Infrastructure Security Agency (CISA), Law Enforcement (LE) entities and other legal actions as determined by Agency leadership.