Here's the adapted Vulnerability Disclosure Policy in markdown format for GSA:
Last Updated: February 14, 2025
The General Services Administration (GSA) is committed to ensuring the security of the American public by protecting their information. This policy provides security researchers with clear guidelines for conducting vulnerability discovery activities and submitting discovered vulnerabilities to GSA.
This policy outlines:
- Systems and types of research covered
- How to submit vulnerability reports
- Expected timelines for public disclosure of vulnerabilities
We encourage responsible disclosure of potential vulnerabilities in our systems.
If you make a good faith effort to comply with this policy during your security research, we will:
- Consider your research to be authorized
- Work with you to understand and resolve the issue quickly
- Not recommend or pursue legal action related to your research
Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.
Under this policy, "research" means activities where you:
- Notify us immediately upon discovery of a real or potential security issue
- Avoid privacy violations, system disruption, and data manipulation
- Use exploits only to confirm vulnerabilities
- Provide reasonable time for resolution before public disclosure
- Submit high-quality, actionable reports
Important: If you discover sensitive data (including PII, financial information, or proprietary information), you must:
- Stop testing immediately
- Notify us promptly
- Not disclose the data to anyone else
- Network denial of service (DoS or DDoS) tests
- Physical testing (office access, tailgating)
- Social engineering (phishing, vishing)
- Any non-technical vulnerability testing
This policy applies to these GSA systems and services:
- *.gsa.gov
- Explicitly listed GSA-operated services
- Public-facing GSA digital services
Note: Systems not explicitly listed are excluded from scope. Vulnerabilities in vendor systems should be reported directly to those vendors.
Submit vulnerability reports via:
- Our secure web form at [URL]
- Email: security@gsa.gov
Reports may be submitted anonymously. If contact information is provided, we will acknowledge receipt within 3 business days.
- Vulnerability location and potential impact
- Detailed reproduction steps
- Proof of concept (if applicable)
- Supporting screenshots or technical details
When contact information is provided, we commit to:
- Acknowledge receipt within 3 business days
- Provide transparent updates on remediation progress
- Maintain open communication throughout resolution
Direct questions about this policy to security@gsa.gov.
| Version | Date | Description |
|---|---|---|
| 1.0 | February 14, 2025 | First issuance |
Note: This policy is designed to evolve as our systems and security needs change. We welcome suggestions for improvement.