Library of Congress Vulnerability Disclosure Program
Purpose
The community of security researchers plays an important and vital role in IT security. The Library welcomes reports from security researchers, and encourages researchers to report any vulnerabilities they discover in Library web applications as soon as possible.
This policy provides a set of public rules and guidelines for researchers to report potential vulnerabilities in the Library’s public facing websites and how the Library will work with a researcher after a vulnerability has been validated.
Authority
Although laws relating to coordination of information security systems do not apply to the legislative branch (see e.g., 35 U.S.C. § 3502(1)), the Library secures and protects its information technology (IT) and data from unauthorized access, use, disclosure, disruption, modification, or destruction and is constantly reviewing and enhancing its IT systems. Pursuant to 18 U.S.C. § 1030, the Library may pursue perpetrators of fraud and related activity in connection with a U.S. government computer and federal records.
Scope
- The following websites are within scope for this policy;
- *.loc.gov
- *.americaslibrary.gov
- *.asianpacificheritage.gov
- *.bibframe.org
- *.blackhistorymonth.gov
- *.ccb.gov
- *.classweb.org
- *.Congress.gov
- *.Copyright.gov
- *.crb.gov
- *.currencyreader.gov
- *.digitalpreservation.gov
- *.digitizationguidelines.gov
- *.hispanicheritagemonth.gov
- *.jewishheritagemonth.gov
- *.lcconline.info
- *.lctl.gov
- *.nativeamericanheritagemonth.gov
- *.nlstalkingbooks.org
- *.read.gov
- *.section108.gov
- *.womenshistorymonth.gov
- In addition to those not listed above, the following website(s) are out of scope:
- bioguide.congress.gov
- The following test types are not authorized:
- User interface bugs or typos.
- Network denial of service (DoS or DDoS) tests.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
How to submit a report
A researcher should compile a detailed summary of the discovered bug, vulnerability, etc.. Report details include the step by step process used in discovering the issue, location of the vulnerability, proof of concept code (if available), software versions and software configurations and potential impact of the issue(s). The researcher should send a report as a single email with all applicable details to vdp@loc.gov.
Guidelines
- Researchers must:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. Researchers must not copy any data other than what is needed for inclusion in the report. Researchers must not disclose any personally identifiable information to a non-Library source at any time.
- Only use an exploit to confirm the existence of a vulnerability. Researchers must not use an exploit to go beyond proving a vulnerability exists. Prohibited activity includes using an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Researchers must not conduct any denial of service or other attack that degrades performance or user experience.
- Coordinate with the Library of Congress for a period of at least 90 days before releasing details of the vulnerability to the general public.
- The Library will work to address reported vulnerabilities expeditiously and to notify researchers of remediation actions.
- The Library IT security team will provide researchers an initial confirmation of receipt of reports within one business day.
- The Library anticipates completion of initial assessments of reported vulnerabilities within one week.
- The Library expects to maintain ongoing communication with the researcher until the vulnerability is remediated.
Authorized Research
The Library will consider research to be authorized, if researchers make a good faith effort to comply with this policy during their security research. The Library will work with researchers to understand and resolve reported issues quickly. If researchers are in compliance with this policy, the Library will not recommend or pursue legal action related to the vulnerability research.
The Library does not offer any reward or bounty for reporting vulnerabilities.
Updated: January 26, 2021