Vulnerability Disclosure Policy
The Office of the Comptroller of the Currency (OCC) is committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure. We encourage security researchers to report potential vulnerabilities identified in OCC systems to us. The OCC will acknowledge receipt of reports submitted in compliance with this policy within three business days, pursue timely validation of submissions, implement corrective actions if appropriate, and inform researchers of the disposition of reported vulnerabilities.
The OCC welcomes and authorizes good faith security research. The OCC will work with security researchers acting in good faith and in compliance with this policy to understand and resolve issues quickly, and will not recommend or pursue legal action related to such research. This policy identifies which OCC systems and services are in scope for this research, and provides direction on test methods, how to send vulnerability reports, and restrictions on public disclosure of vulnerabilities.
OCC System and Services in Scope for this Policy
The following systems / services are in scope:
Only systems or services explicitly listed above, or which resolve to those systems and services listed above, are authorized for research as described by this policy. Additionally, vulnerabilities found in non-federal systems operated by our vendors fall outside of this policy’s scope and may be reported directly to the vendor according to its disclosure policy (if any).
Direction on Test Methods
Security researchers must not:
- test any system or service other than those listed above,
- disclose vulnerability information except as set forth in the ‘How to Report a Vulnerability’ and ‘Disclosure’ sections below,
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send unsolicited electronic mail to OCC users, including “phishing” messages,
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- introduce malicious software,
- test in a manner which could degrade the operation of OCC systems; or intentionally impair, disrupt, or disable OCC systems,
- test third-party applications, websites, or services that integrate with or link to or from OCC systems or services,
- delete, alter, share, retain, or destroy OCC data, or render OCC data inaccessible, or,
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on OCC systems or services, or “pivot” to other OCC systems or services.
Security researchers may:
- View or store OCC nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must:
- cease testing and notify us immediately upon discovery of a vulnerability,
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
- purge any stored OCC nonpublic data upon reporting a vulnerability.
How to Report a Vulnerability
Reports are accepted via electronic mail at CyberSecurity@occ.treas.gov . To establish an encrypted email exchange, please send an initial email request using this email address, and we will respond using our secure email system.
Acceptable message formats are plain text, rich text, and HTML. Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names. Reports may include proof-of-concept code that demonstrates exploitation of the vulnerability. We request that any scripts or exploit code be embedded into non-executable file types. We can process all common file types as well as file archives including zip, 7zip, and gzip.
Researchers may submit reports anonymously or may voluntarily provide contact information and any preferred methods or times of day to communicate. We may contact researchers to clarify reported vulnerability information or for other technical exchanges.
By submitting a report to us, researchers warrant that the report and any attachments do not violate the intellectual property rights of any third party and the submitter grants the OCC a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments. Researchers also acknowledge by their submissions that they have no expectation of payment and expressly waive any related future pay claims against the OCC.
The OCC is committed to timely correction of vulnerabilities. However, recognizing that public disclosure of a vulnerability in absence of readily available corrective actions likely increases associated risk, we require that researchers refrain from sharing information about discovered vulnerabilities for 90 calendar days after receiving our acknowledgement of receipt of their report and refrain from publicly disclosing any details of the vulnerability, indicators of vulnerability, or the content of information rendered available by a vulnerability except as agreed upon in written communication from the OCC.
If a researcher believes that others should be informed of the vulnerability before the conclusion of this 90-day period or prior to our implementation of corrective actions, whichever occurs first, we require advance coordination of such notification with us.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.
Questions regarding this policy may be sent to CyberSecurity@occ.treas.gov . The OCC encourages security researchers to contact us for clarification on any element of this policy and prior to conducting research if it is unclear whether a specific test method is inconsistent with or unaddressed by this policy. We also invite security researchers to contact us with suggestions for improving this policy.
Issuance date: March 1, 2021