doe.responsibledisclosure.com Open in urlscan Pro
104.16.51.111  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Acknowledgments
Sign in
Welcome to Department of Energy Responsible Disclosure
By submitting a vulnerability to the Department of Energy through
ResponsibleDisclosure.com, you agree to the Terms of Service.
Get Started





INTRODUCTION

The Department of Energy (DOE) is committed to ensuring the security of the
American public by protecting their information from unwarranted disclosure. As
such, the DOE has created a Vulnerability Disclosure Program and Policy to give
security researchers clear guidelines for conducting vulnerability discovery
activities on DOE systems and websites and to convey the DOE’s preferences in
how to submit discovered vulnerabilities to the Department.

The Department’s program, and the rules of engagement described herein, describe
what systems and types of research are covered under this program, how to submit
vulnerability reports, and asks that reporters refrain from publicly disclosing
submitted vulnerabilities.

Vulnerability disclosure is the “act of initially providing vulnerability
information to a party that was not believed to be previously aware.” The
individual or organization that performs this act is called the Reporter. This
program allows Reporters to alert the DOE to security flaws they find within the
DOE’s public-facing websites. Feedback received through this program allows the
DOE to fix flaws quickly when possible, thereby strengthening the integrity of
the Department’s information technology systems and enhancing protection of
government-owned data.

See https://www.energy.gov/vulnerability-disclosure-policy.




RESPONSIBLE DISCLOSURE POLICY:

This page is for security researchers interested in reporting application
security vulnerabilities. This is intended for application security
vulnerabilities only.

The details within your request form will be submitted to
ResponsibleDisclosure.com (operated by an independent third party, Synack). If
you have reported an issue determined to be within program scope and to be a
valid security issue, ResponsibleDisclosure.com will validate your finding and
you will be allowed to disclose the vulnerability after a fix has been issued.
This process is managed exclusively by ResponsibleDisclosure.com through their
platform, accordingly you must accept the ResponsibleDisclosure.com terms of
service if you wish to proceed. All queries are to be directed to
ResponsibleDisclosure.com and managed exclusively through the
ResponsibleDisclosure.com online portal.




TYPICAL VULNERABILITIES ACCEPTED:

 * OWASP Top 10 vulnerability categories
 * Other vulnerabilities with demonstrated impact



TYPICAL OUT OF SCOPE:

 * Theoretical vulnerabilities
 * Informational disclosure of non-sensitive data
 * Low impact session management issues
 * Self XSS (user defined payload)

For a full list of program scope please visit the Responsible Disclosure details
page



RESPONSIBLE DISCLOSURE GUIDELINES:

 * Adhere to all legal terms and conditions outlined at
   responsibledisclosure.com
 * Work directly with ResponsibleDisclosure.com on vulnerability submissions
 * Provide detailed description of a proof of concept to detail reproduction of
   vulnerabilities
 * Do not engage in disruptive testing like DoS or any action that could impact
   the confidentiality, integrity or availability of information and systems
 * Do not engage in social engineering or phishing of customers or employees
 * Do not request compensation for time and materials or vulnerabilities
   discovered

Department of Energy Responsible Disclosure Powered by Synack Terms of Service