Vulnerability Disclosure Policy

As provided in OMB M-20-32 and DHS CISA BOD 20-01 (Sept. 2, 2020), Federal policy encourages good-faith research, discovery, and reporting of vulnerabilities in U.S. Government web sites and other internet-accessible systems or services.

How to report

In accordance with the above policy, we request that vulnerabilities, if any, found only on the following FTC web sites be reported to us by e-mail at security@ftc.gov. (More FTC domains may be added to this list in the future.)

We currently do not support PGP-encrypted e-mails. Reports may be submitted anonymously. If you provide us your contact information, we will acknowledge your report within 3 business days.

What to report

Please provide information to assist the FTC in finding and analyzing the vulnerability, including for example a description of the vulnerability, its location (e.g. full URL), the potential impact, technical information needed to reproduce the vulnerability, any proof of concept code, and any other information you may believe is relevant or necessary for the FTC to identify and remedy the vulnerability. You need not include personally identifying information (PII) about yourself when submitting a report, but we request that you provide us a way to contact you if you want us to acknowledge your request, and for us to follow up with additional questions, if necessary.

What activities are allowed or prohibited

This policy is not intended to prohibit vulnerability testing that does not compromise the confidentiality, integrity, or availability, or otherwise interfere with the operation, of the FTC systems and services within the scope of this policy. The following activities are not authorized:

  • Network denial of service (DoS or DDoS) tests
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
  • Disclosure to any party (other than reporting to the FTC) of PII acquired from an FTC system
  • Research activities that would violate the rights any other individual or entity

What to expect

In addition to acknowledging your request as noted above, we will confirm, where possible, whether the vulnerability exists, and let you know, as appropriate, what steps we are taking during the remediation process, including issues or challenges that may delay resolution. We may be unable to share certain information for security or legal reasons. We cannot provide “bug bounties” or rewards, and you understand and agree that the FTC will not compensate you for reporting vulnerabilities. In addition, where necessary, we may be required to share reports with other agencies or entities to investigate or otherwise assist us in remediating reported vulnerabilities, or as otherwise authorized or required by law.

Legal

You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. We do not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

By submitting a report to the FTC, researchers warrant that the report and any attachments do not violate the intellectual property rights of any third party and the submitter grants the FTC a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.

Except as authorized or required by law, we do not intend to recommend legal action against security research activities that we believe are authorized and represent a good-faith effort to follow the above policy.

We may modify the terms of this policy or terminate the policy at any time.

Date of Issuance: March 1, 2021     Last Updated: March 1, 2021