This Policy is designed to ensure the security of AmeriCorps by protecting its information and giving a clear guideline for conducting vulnerability discovery activities and to convey preferences on how to submit discovered vulnerabilities to AmeriCorps. This Policy also facilitates AmeriCorps awareness of otherwise unknown vulnerabilities. It commits AmeriCorps to authorize good faith security research and respond to vulnerability reports and set expectations for reporters.
What Is the Purpose of this Policy?
This Vulnerability Disclosure Policy (VDP) provides details of how discovered vulnerabilities can be reported to AmeriCorps and gives security researchers clear guidelines for conducting vulnerability discovery activities. This policy describes what systems and types of research are covered under this policy, how to send AmeriCorps vulnerability reports, and the timeline before AmeriCorps security researchers publicly disclose vulnerabilities.
Authorization
Guidelines
AmeriCorps requires that all vulnerabilities identified during research to be reported to OIT Help Desk by calling 202-606-6600, sending an email to oithd@cns.gov, or by completing the Privacy and Security Incident Report.
Under this VDP, the researcher shall:
- Notify AmeriCorps within 1 hour or as soon as possible after discovering a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only uses exploits to the extent necessary to confirm a vulnerability’s presence. Does not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide AmeriCorps a reasonable amount of time to resolve the issue before disclosing it publicly (not more than 72 hours).
- Not submit a high volume of low-quality reports.
Once a researcher has established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), the individual must stop testing, notify AmeriCorps immediately, and not disclose this data to anyone else.
Test Methods
The following test methods are authorized but are not limited to:
- Network scanning by approved tools (Nessus, AngryIP).
- Log review via Splunk or some other approved tool.
- Other approved Network management tools (i.e Windows Defender, Solarwinds, etc.)
- Observation of a vulnerability.
- Third party report review.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Scope
This section defines which internet-accessible systems or services are in scope with this policy.
This policy applies to any Internet facing services to include web servers, mail gateways, utility servers, or VPN gateways. The following systems and services are included:
- americorps.gov
- cncs.gov
- cns.gov
- autodiscover.cns.gov
- egrants.cns.gov
- inventory.cns.gov
- owa.cns.gov
- securetransfer.cns.gov
- sts.cns.gov
- vpn.cns.gov
- webvpn.cns.gov
- joinamericorps.gov
- mentor.gov
- mlkday.gov
- nationalservice.gov
- presidentialserviceawards.gov
- serve.gov
- vistacampus.gov
- volunteeringinamerica.gov
In addition, this policy applies to devices residing on the following AmeriCorps IP ranges:
- 152.180.8.128/26
- 152.180.134.192/26
- 204.124.228.0/22
- 12.188.34.32/27
- 216.109.83.64/27
- 216.33.116.0/26
- 209.67.159.0/26
Configuration
All web domains hosted by. gov are configured as such:
-
The security contact field for each .gov domain registered is: Unsafe@cns.gov
Security POC Notice:
A security contact is like a digital front door for outsiders to report observed or suspected security issues at your domain. This could include notifications about compromised accounts, unsolicited email, routing problems or reporting a potential vulnerability.A security contact should be capable of evaluating or triaging security reports for your entire domain. We recommend using a team email address specifically for reports and avoiding the use of an individual’s email address.
Security contact details are made public via the .gov whois (web/port 443) and our published data. You can change your security contact at any time. Removing the contact withdraws it from whois and our published data.
-
The “Organization” field for each .gov domain registered is:
Organization Name: AmeriCorps
Street Address: 250 E St SW
City: Washington
State: District of Columbia
State / Province: N/A
Zip Code: 20525 Country: United States
Reporting a Vulnerability
Information submitted under this VDP will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Agency Name, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
AmeriCorps accepts vulnerability reports via e -mail address at oithd@cns.gov, or by calling OIT Help Desk at 202-606-6600 with a description of the vulnerability, its location and potential impact. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
Vulnerability reports can be submitted anonymously and
AmeriCorps must NOT:
- Submit Personally Identifiable Information (PII) although the reporter may voluntarily provide contact information.
- Limit testing solely to “vetted” registered parties or U.S. citizens. The policy must provide authorization to the public.
- Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others, except for a request for a reasonably time-limited response period.
- AmeriCorps must not submit disclosed vulnerabilities to other agencies or processes.
AmeriCorps must protect any individual reporting vulnerabilities:
- Commit to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized.
- Set expectations for when the reporter (where known) can anticipate acknowledgement of their report and pledges the agency to be as transparent as possible about what steps it is taking during the remediation process.
Reporters will not receive payment for submitting or disclosing vulnerabilities.
What AmeriCorps expects from a vulnerability reporter:
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What a vulnerability reporter can expect from AmeriCorps
When you choose to share your contact information with AmeriCorps, we commit to coordinating with you as openly and as quickly as possible:
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
Document Change History
Version
1.0
Date
03/01/2021
Description
First issuance.