The U.S. National Science Foundation is committed to ensuring the security of the American public by protecting their information. The agency welcomes independent researchers to assess its potential vulnerabilities.
On this page
Introduction
NSF is an independent federal agency whose mission is "to promote the progress of science; to advance the national health, prosperity, and welfare; to secure the national defense." NSF funds approximately 25% of all federally supported basic research conducted by America's colleges and universities. Protecting information is integral to the NSF mission.
NSF encourages the public to report potential vulnerabilities they identify in the agency's systems. NSF's Vulnerability Disclosure Policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities about NSF. The policy describes:
- What systems and types of research are covered under the policy.
- How to send vulnerability reports to NSF.
- How long security researchers are asked to wait before publicly disclosing vulnerabilities.
How NSF will use information in vulnerability reports
Information submitted under NSF's Vulnerability Disclosure Policy will be used for defensive purposes only to mitigate or remediate vulnerabilities.
If a researcher's findings include newly discovered vulnerabilities that affect all users of a product or service and not solely NSF, NSF may share the researcher's report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under CISA's coordinated vulnerability disclosure process. The researcher's name or contact information will not be shared without express permission.
Vulnerability research authorization
If a researcher makes a good faith effort to comply with NSF's Vulnerability Disclosure Policy during his or her security research, NSF will consider the research to be authorized and NSF will work with the researcher to understand and resolve the issue quickly. NSF will not recommend or pursue legal action related to the research. Should legal action be initiated by a third party against the researcher for activities that were conducted in accordance with NSF's Vulnerability Disclosure Policy, NSF will make this authorization known.
Principles
Under this policy, a researcher is expected to:
- Ensure test methods do not include unauthorized activities described below.
- Notify NSF as soon as possible after a real or potential security issue is discovered.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Will not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.
- Allow NSF 90 business days to resolve the issue before disclosing the vulnerability publicly.
- Agree not to submit a high volume of low-quality reports.
Once a researcher has established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), the researcher must stop their test, notify NSF immediately, and not disclose the data to anyone else.
Test methods
The following test methods are not authorized:
- Network denial of service or distributed denial of service (DoS or DDoS) attack tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing) or any other non-technical vulnerability testing.
Scope
NSF's Vulnerability Disclosure Policy applies to all NSF internet-accessible systems and services. This includes the following domain names and their subdomains:
- *.nsf.gov
- *.research.gov
- *.sac.gov
- *.usap.gov
Vulnerabilities found in systems from NSF vendors fall outside the policy's scope and should be reported directly to the vendor according to the vendor's disclosure policy.
Reporting a vulnerability
Researchers who discover a potential vulnerability that may compromise NSF data or services are asked to follow the notification process below:
Send notification of a potential vulnerability through NSF's Vulnerability Disclosure Policy Platform. Please provide the following information:
- Description of the vulnerability: Describe the potential vulnerability and the potential impact of exploitation.
- Location and potential impact: Provide the URL or other identifier of the vulnerability's location and the assessment conducted of the potential impact of the vulnerability.
- Technical information to reproduce the finding: Provide technical information so that NSF IT specialists may investigate the finding, including the ability to reproduce the finding. Provide a detailed description of the steps needed to reproduce the vulnerability. Proof-of-concept scripts or screenshots are helpful.
- Potential proof-of-concept code: Provide a potential proof-of-concept code if possible.
- The researcher's acknowledgment of the following statement: "By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against the U.S. Government related to your submission."
Researcher submissions are acknowledged within three business days of submission.
Researchers are asked to refrain from public announcement or discussion of their potential vulnerability findings for 90 business days from the submission date to allow investigation and mitigation by NSF IT specialists.
NSF will coordinate with the researcher as openly and as quickly as possible:
- Within three business days, NSF will acknowledge report receipt.
- To the best of NSF's ability, NSF will confirm the existence of the vulnerability to the researcher and be as transparent as possible about remediation, including on issues or challenges that may delay resolution.
- NSF will maintain an open dialogue to discuss issues.
NSF IT specialists are responsible for beginning an investigation of publicly reported potential vulnerabilities within three business days of submission.
NSF IT specialists follow established internal procedures to mitigate potential vulnerabilities. NSF IT specialists will inform the researcher on mitigation or resolution if possible.
Questions
Questions regarding this policy may be sent to dis-secteam@nsf.gov. NSF also invites researchers to contact NSF with suggestions for improving this policy.