Approved On: 03/25/2021

VULNERABILITY DISCLOSURE PROGRAM

Introduction

The Export-Import Bank of the United States (EXIM) supports American jobs by facilitating the export of U.S. goods and services.

EXIM is committed to ensuring the security of the U.S. public by protecting the public’s information from unwarranted disclosure. As such, EXIM has created a Vulnerability Disclosure Policy (VDP) and Vulnerability Disclosure Program, to give security researchers clear guidelines for conducting vulnerability discovery activities on EXIM systems and websites, as well to convey EXIM’s preferences in how to submit discovered vulnerabilities to EXIM.

EXIM’s Vulnerability Disclosure Policy describes what systems and types of research are covered under this program, how to submit vulnerability reports, and requirements for public disclosure of submitted vulnerabilities.

Authorization

Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program.

Efforts made in good faith to comply with this policy during all security research will be considered authorized. EXIM will work with the researcher to understand and quickly resolve issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, EXIM will reaffirm this authorization.

Applicability and Scope

This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized EXIM publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on EXIM’s publicly available systems/services within the EXIM.gov domain. This also includes the registered domain name EXIM.gov.

Though EXIM develops and maintains other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this EXIM policy. We will increase the scope of this policy over time.

If there is uncertainty regarding the scope, please contact VDP@exim.gov.

Additionally, vulnerabilities found in systems from non-EXIM entities are outside of this policy’s scope and should be reported directly to the non-EXIM entity according to their disclosure policy. If there is uncertainty regarding the scope of a system, contact VDP@exim.gov.

While EXIM Office of the Chief Information Officer (OCIO) is responsible for the development and maintenance for various internet-accessible systems or services, research and testing should only be conducted on the systems and services covered by the scope of this policy. The scope of this policy is subject to change. Please contact VDP@exim.gov if questions arise regarding systems not currently in scope.

Guidelines

Under this policy, “research” means activities in which you:

  • Notify EXIM as soon as possible after the discovery of any real or potential security issue(s).
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports.

Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information or proprietary information or trade secrets of any party):

  • ALL tests must be stopped.
  • Notify EXIM immediately.
  • Do Not disclose this data to anyone.

Reporting a Vulnerability

Information submitted under this policy will be used for defensive purposes only. If discovered findings include new vulnerabilities that affect all users of a product or service and not solely EXIM, EXIM may share your report with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled according to their coordinated vulnerability disclosure process. EXIM will not share your name or contact information without express permission.

EXIM only accepts vulnerability reports via https://bugcrowd.com/exim-vdp. Reports may be submitted anonymously. If contact information is shared, EXIM will acknowledge receipt of the information within three (3) business days.

When submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and that any future pay claims against the U.S. Government related to the submission have been waived.

When contact information is shared, EXIM commits to coordinating with the security researcher in a transparent and timely manner:

  1. Within three (3) business days, EXIM will acknowledge that the report has been received.
  2. Within (15) business days, EXIM will confirm the existence of the vulnerability and provide further discussion on findings, resolutions and/or issues or challenges that may delay resolution.

Policy

Vulnerability Reports

To report identified vulnerabilities, security researchers must:

  1. Submit vulnerability reports to https://bugcrowd.com/exim-vdp.
  2. Describe the location the vulnerability was discovered and the potential impact of exploitation.
  3. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots).
  4. Submit vulnerability reports, anonymously, if desired. If a security researcher provides EXIM with an email address, EXIM will acknowledge, via email receipt of submitted reports within three (3) business days.
  5. Keep confidential any information about discovered vulnerabilities for up to (90) calendar days after being notified by EXIM.

Coordinated Disclosure

EXIM is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.

At the same time, we believe that disclosure in the absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that security researchers refrain from sharing reports with others, or releasing reports to the public, while patching is occurring. If there is a need to inform others of the submitted report before the patch is available, please coordinate with EXIM at VDP@exim.gov prior to release for assessment.

Use of Vulnerability Reports

Information submitted under this policy shall be used by EXIM for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and determined to be a valid security issue, EXIM will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued. The details within the Vulnerability Intake form may be submitted to an independent third-party vendor for evaluation and handling

Information Sharing

Information submitted under this policy may be shared for defensive cybersecurity means:

  1. If findings submitted include newly discovered vulnerabilities that affect users of a product or service outside of EXIM, EXIM may share vulnerability reports with DHS CISA, where it will be handled under DHS CISA’s coordinated vulnerability disclosure process. EXIM retains the right to share this information with DHS CISA and other applicable organizations, as needed.
  2. Personal information pertinent to the security researcher will not be disclosed or shared without the researcher’s express written permission.

Testing Methods

EXIM requires that security researchers comply with authorized test methods/activities to access systems within the publicly available EXIM.gov domains, and not perform any unauthorized test methods/activities.

Authorized Testing Methods/Activities

Testing methods/activities are limited exclusively to:

(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or

(2) Sharing information with, or receiving information from, EXIM about a vulnerability or an indicator related to a vulnerability.

Unauthorized Testing Methods/Activities

The following test methods/activities are not authorized by EXIM:

  1. Test any systems other than the systems set forth in the ‘Scope’ of this policy.
  2. Physical testing of facilities or resources (e.g., office access, open doors, tailgating).
  3. Social engineering (e.g., phishing, vishing, spam, and other suspicious email), and any other non-technical vulnerability testing.
  4. Network denial of service (DoS or Distributed DoS) or tests that impair access to or damage availability to a system or data.
  5. Tests that exhausts bandwidth or are resource intensive.
  6. Unidentified malware, viruses, Trojan horses, or worms.
  7. Rainbow tables, password cracking, or brute force testing.
  8. Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on EXIM systems, or “pivot” to other EXIM systems.
  9. Test third-party applications, websites, or services that integrate with or link to or from EXIM systems.
  10. Delete, alter, share, retain, or destroy EXIM data, or render EXIM data inaccessible.

Questions

Questions or suggestions regarding this policy may be sent to VDP@exim.gov.