Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on May 11, 2023, 07:19:57 pm
-
submit bug report:https://www.sba.gov/about-sba/open-government/about-sbagov-website/vulnerability-disclosure-policy
Policy
The U.S. Small Business Administration (SBA) takes seriously our responsibility to protect the public’s information, including financial and personal information, from unwarranted disclosure. However, as an agency with extensive citizen-facing data collection requirements, the risk of disclosure is real.
To help minimize that risk, and in accordance with the U.S. Department of Homeland Security (DHS) Binding Operational Directives (BODs), SBA encourages cybersecurity researchers to report vulnerabilities that they have discovered so that SBA can take appropriate action to fix those vulnerabilities and keep our stakeholders’ information safe.
This notification describes what systems and types of research are covered under this policy, how to report vulnerabilities, and the period we ask cybersecurity researchers to wait before publicly disclosing vulnerabilities.
Guidelines
We ask that cybersecurity researchers:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
Only use exploits to the extent necessary to confirm a vulnerability. This includes not using an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
Once it is confirmed that a vulnerability exists or gaining access to any of the sensitive data outlined below, stop the test, and notify us immediately.
Keep confidential any information about discovered vulnerabilities for a minimum of (90) calendar days after the cybersecurity researcher has notified SBA through the process described herein