Giters

cablej / hack-your-government

A list of governments with Vulnerability Disclosure Policies

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Can you hack your government?

Vulnerability disclosure policies and bug bounty programs are becoming standard across industry and government. Beginning with the U.S. Department of Defense, several government agencies worldwide have implemented vulnerability disclosure programs.

This is a list of government agencies that have bug bounty programs or vulnerability disclosure policies. Please submit a pull request if any government agencies are missing from this list.

For a full list of U.S. government vulnerability disclosure policies, see https://github.com/cisagov/vdp-in-fceb.

Note: This list is not an invitation to hack any of the listed organizations. Ensure that you comply with all listed terms of an organization's vulnerability disclosure policy.

Organization Type Rewards Link Notes
U.S. Department of Defense VDP None https://hackerone.com/deptofdefense Safe Harbor
U.S. Department of Defense Bug Bounty Varies Private, time-limited challenges
GSA Technology Transformation Services Bug Bounty $150-$5,000 https://hackerone.com/tts Safe Harbor
U.S. Securities and Exchange Commission VDP None https://www.sec.gov/vulnerability-disclosure-policy Safe Harbor
U.S. Department of Energy Office of Scientific and Technical Information VDP None https://www.osti.gov/vulnerability-disclosure-policy Partial Safe Harbor
Fermi National Accelerator Laboratory VDP None https://computing.fnal.gov/cybersecurity/vulnerability-disclosure-policy/ None
Centers for Medicare & Medicaid Services (CMS) VDP None https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/CMS-Vulnerability-Disclosure-Policy.pdf Safe Harbor
Iowa Secretary of State VDP None https://sos.iowa.gov/pdf/IOWA_SOS_VDP_Policy.pdf Safe Harbor
Ohio Secretary of State VDP None https://www.ohiosos.gov/vulnerability-disclosure-policy/ Safe Harbor
State of Delaware VDP https://delaware.gov/help/responsible-disclosure.shtml Partial Safe Harbor
Washington D.C. VDP None https://octo.dc.gov/sites/default/files/dc/sites/octo/publication/attachments/Responsible%20Disclosure%20Policy%20.pdf
Netherlands NCSC VDP Up to €300 https://www.ncsc.nl/security
Netherlands Central Government VDP https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands/responsible-disclosure
United Kingdom NCSC VDP None https://hackerone.com/ncsc_uk

Other government agencies offer avenues for disclosure without providing authorization or a safe harbor. As such, participate in these programs at your own risk and assume no legal protections. Some examples include the following.

Organization Link Notes
DHS via U.S. CERT https://www.kb.cert.org/vuls/govreport/
UK Government via NCSC https://www.ncsc.gov.uk/information/vulnerability-reporting
Government of India via NCIIPC https://nciipc.gov.in/RVDP.html

About

A list of governments with Vulnerability Disclosure Policies