The federal Judiciary has unveiled a new Vulnerability Disclosure Policy to ensure the security of data that can be accessed online. The policy gives security researchers clear guidelines on how they may conduct vulnerability discovery activities. It also instructs researchers on how to submit discovered vulnerabilities to the Judiciary.
Vulnerability disclosure policies are quickly becoming an industry-standard in the security practice, as federal agencies work to secure their networks from hackers and other nefarious actors.
Federal government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), Department of Justice (DOJ), Department of Energy (DOE), Federal Trade Commission (FTC), and more have issued similar plans.
Under the policy, researchers must stop testing as soon as they establish that a vulnerability exists or they encounter any sensitive data. This can include personally identifiable information, financial information, or proprietary information or trade secrets of any party. Researchers also must notify the Judiciary immediately, and not disclose data they have accessed to anyone else.
This policy applies to the following systems and services:
Any service not expressly listed above is outside the disclosure policy and is not authorized for testing. Similarly, an extensive list of specific activities, including denial of service attacks, are not authorized.
The policy warns that any unauthorized activities may be regarded as illegal hacking. “If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal and/or civil liabilities,” it noted.
Questions regarding this policy and suggestions for improving it may be sent to firstname.lastname@example.org.