Back to Top

OPM Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

OPM Vulnerability Disclosure Process

  1. Introduction

    As part of a U.S. government agency, the Office of Personnel Management (OPM) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure.

    We want security researchers to feel comfortable reporting any vulnerabilities they discover, as set out in this policy, so that we can fix them and keep our information safe.

    This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing any vulnerabilities.

    OPM encourages you to contact us to report potential vulnerabilities in our systems.

  2. Authorization

    If you make a good faith effort to comply with this policy during your security research, OPM will consider your research to be authorized. OPM will not pursue legal action against authorized research.

  3. Guidelines

    We require that you:

    • Notify us as soon as possible after you discover a real or potential security issue.
    • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
    • Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems.
    • Once you have established that a vulnerability exists, or encountered any of the sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test and notify us immediately, and not disclose this information to anyone else.
    • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
    • Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified OPM.
  4. Scope

    This policy applies to the following domains:

    • External facing OPM registered and managed .gov domains and all sub-domains (e.g. telework.opm.gov),
    • applicationmanager.gov,
    • chcoc.gov,
    • cybercareers.gov,
    • employeeexpress.gov,
    • feb.gov,
    • federaljobs.gov,
    • fedjobs.gov,
    • fedshirevets.gov,
    • fsafeds.gov,
    • golearn.gov,
    • governmentjobs.gov,
    • opm.gov,
    • pac.gov,
    • pmf.gov,
    • telework.gov,
    • unlocktalent.gov,
    • usajobs.gov,
    • usalearning.gov
    • usastaffing.gov
    • Non-public data on public third-party services - OPM utilizes third-party services to support its public work model. While non-public data published publicly on those services is in scope, testing those services is not in scope.

    Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system or endpoint is in scope or not, contact us at vulnerabilitydisclosure@opm.gov before starting your research.

    OPM does not offer any compensation for the identification or reporting of vulnerabilities.

  5. Test methods

    Security Researchers/Testers must not:

    • Perform testing of any information system or service unless it is in the Scope of this policy;
    • Perform any Denial of Service (DoS or DDoS), Resource Exhaustion, or other tests that impair access to an information system or data (information);
    • Perform physical testing ( e.g. office access, open doors, tailgating) of federal/contractor facilities or resources;
    • Perform social engineering ( e.g. phishing, vishing), or any other non-technical vulnerability testing to include the sending of unsolicited emails;
    • Introduce any malicious software/code;
    • Perform testing in a manner which could degrade the operations of systems, or intentionally impair, disrupt, or disable information systems or services;
    • Perform testing on third-party applications, websites, or services that integrate with or link to or from agency information systems or services;
    • Perform testing that intentionally or unintentionally deletes, alters, shares, retains, or destroys information (data);
    • Perform testing of an exploit to exfiltrate data, establish command line access, elevate privileges, establish a persistent presence on systems, or "pivot" to other systems;
    • Perform testing that maintains a persistent presence on information systems or services.

    Security Researchers/Testers must:

    • Cease testing and notify us immediately upon discovery of a vulnerability;
    • Cease testing and notify us immediately upon discovery of an exposure of nonpublic data to include Personally Identifiable Information (PII), Financial information ( e.g. credit card or bank account numbers), and Proprietary information or trade secrets of companies of any party;
    • Purge any stored agency nonpublic data upon reporting a vulnerability.
  6. Reporting a Vulnerability

    • We accept vulnerability reports using the provided reporting format via the following methods:
    • Email: All submissions via email will be sent to vulnerabilitydisclosure@opm.gov.

    The Vulnerability Report should be in the template provided. Vulnerability Reports that are not in the correct template or that do not provide sufficient information will be rejected for processing by the analysis team.

    Please note that Vulnerability Reports may be submitted anonymously. If you share contact information (Reporter Contact), we will acknowledge receipt of your report within five (5) business days of the report's receipt.

    We do not support PGP-encrypted emails. For particularly sensitive information, submit through the mail process or provide a note that some information is sensitive, and you will be contacted with details on sending the sensitive information.

    • What we would like to see from you:

      In order to help us triage and prioritize submissions, we recommend that your reports:

      • Describe the location the vulnerability was discovered and the potential impact of exploitation.
      • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
      • Be in English, if possible.
    • What you can expect from us:

      • When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
      • Within three (3) business days, we will acknowledge that your report has been received.
      • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
      • We will maintain an open dialogue to discuss issues.

Document Change History

Version Date Description
1.0 June 10, 2021 First issuance.