Purpose
The purpose of the Vulnerability Disclosure Policy (VDP) as defined in the Binding Operational Directive (BOD)[1] 20-01 is to enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. This policy makes it easier for the public to know where to send a report, what types of testing are authorized for which information systems, and what communication to expect. It also allows agencies to integrate vulnerability reporting into existing cybersecurity risk management activities. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies. Additionally, ensuring consistent policies across the Executive Branch offers those who report vulnerabilities equivalent protection and a more uniform experience.
The Commodity Futures Trading Commission (“CFTC” or “Commission”) is committed to maintaining the security of its information systems and protecting information from unauthorized use and disclosure. This policy defines the information systems covered by the policy, the types of security research allowed on CFTC information systems, how to submit CFTC vulnerability findings, and establishes a grace period that Vulnerability Reporters are encouraged to adhere to prior to initiating any public disclosure.
The Commission understands that without assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report discovered vulnerabilities to the agency. The Commission recognizes that a reporter or anyone in possession of vulnerability information can disclose or publish the information at any time, including without prior notice to the agency. However, such uncoordinated disclosure could result in exploitation of the vulnerability before the agency is able to address it, which could have legal penalties for the reporter as well. One objective of this policy is to reduce risk to the Commission’s infrastructure and the public by encouraging coordinated disclosure so there is time to fix the vulnerability before it is widely known.
Scope
This policy covers all CFTC public-facing websites, forms, and affected applicable external systems:
CFTC.gov
Whistleblower.gov
Policy
This policy outlines specific practices for research testing the security of the CFTC information systems, discovering vulnerabilities, proper research documentation, and a method for informing the CFTC of discovered vulnerability findings.
Under this policy, all of a Vulnerability Reporter’s research that complies with this policy is considered to be authorized. The CFTC will work to understand and resolve the issue quickly, and will not recommend or pursue any legal action related to the Vulnerability Reporter’s research.
Vulnerability Reporters are required to report potential vulnerabilities identified in CFTC information systems prior to publicly disclosing their findings. Vulnerability Reporters should contact the CFTC as early as possible, upon discovery of vulnerabilities, using approved methods defined in this policy. Early contact allows time to reasonably address vulnerabilities and protect CFTC information systems from unintended exploitation or harm. For reports submitted in compliance with this policy, CFTC will acknowledge receipt within five business days. CFTC will have 90 days from the acknowledgement date to confirm and resolve the vulnerability prior to public disclosure.
The CFTC will endeavor to validate properly detailed submissions within a reasonable time frame, implement corrective actions if appropriate, and inform researchers of the nature of reported vulnerabilities.
This policy applies to all CFTC information users, any information gained through research, and CFTC information systems owned or leased by the Commission.
Definitions
Information is “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.” (See OMB Circular A-130)
Information system is a “means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” (see 44 U.S.C. § 3502)
Personally identifiable information (PII) is “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” (See OMB Circular A-130)
Vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities are typically exploited to weaken the security of a system, its data, or its users, with impact to system confidentiality, integrity, or availability.
Vulnerability disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware”. The individual or organization that performs this act is called the Vulnerability Reporter.
Vulnerability Reporter: The individual or organization that performs the act of disclosing performs the research testing on CFTC information systems and reports the vulnerability.
Assurance
- The CFTC authorizes security research conducted in compliance with this policy. The Commission will not recommend or pursue legal action related to any security research conducted in compliance with this policy. The Commission will work closely with Vulnerability Reporters to understand and resolve vulnerabilities identified as a result of security research conducted under this policy and reported to the CFTC in accordance with this policy.
- Test Methods
- The following section describes authorized test methods for conducting security research, notifying CFTC, and public disclosure activities in order to be eligible for compliance:
- Vulnerability Reporters must:
- Protect any CFTC information containing vulnerabilities or network information from unauthorized disclosure until public disclosure has been authorized by the CFTC or 90 days from initial acknowledgement by the CFTC.
- Accept the results of CFTC reviews for their findings in a professional and responsible manner.
- Maintain a log of commands executed and activities performed during testing that includes date and time to assist with incident response triaging, if needed.
- Only perform automated scanning (i.e., Nessus, WebInspect, or other tools that consume bandwidth) during evening and nighttime hours (9:00 PM to 6:00 AM EST) to prevent degradation of services to the CFTC.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Make every effort to avoid using exploits that would compromise or exfiltrate information (including PII), establish persistent command line access, or pivot to other information systems.
- Make every effort to avoid degradation of user experience, disruption to production information systems, and destruction or manipulation of information.
- In compliance with BOD 18-01, email must be sent in in adherence to DKIM and SPF policies.
Vulnerability Reporters may:
- Use commercial off the shelf and/or freeware tools and scripts to perform testing like Nessus, nmap, nikto, sqlmap, WebInspect, tools and scripts available via Git Hub, etc.
- Attempt to remotely execute commands, upload files, circumvent authentication, create their own accounts, etc.
- Test for the presence of unprotected system information and artifacts, including network diagrams, configuration files, older penetration test reports, e‐mails or documents containing passwords, or other information critical to system operation.
- Perform Open Source Intelligence (OSINT) gathering activities.
- Perform web application server and web accessible database configuration checks.
- Enumerate and inventory live network Endpoints within the defined scope.
- Enumerate, fingerprint, and inventory operating systems and network services within the defined scope.
- Perform vulnerability identification using automated and/or manual methods.
- Attempt privilege escalation and/or lateral movement.
Vulnerability Reporters must not:
- Access an information system through determined or bypassed credentials.
- Perform denial of service attacks on any CFTC resources.
- Deviate from this policy in research methods or reporting activities.
- Alter or delete files on any CFTC information systems or data.
- Execute destructive procedures tests and exploits; any procedures with the potential to negatively impact network traffic or interrupt host systems will be avoided.
- Store penetration test files or programs on any of CFTC information systems.
- Contact CFTC employees or affiliated companies or individuals based on OSINT gathering activities.
- Brute force passwords or other user credentials.
- Conduct attacks on databases that result in the creation of erroneous data entries.
- Use the [email protected] for anything other than reporting specific vulnerabilities.
- Submit a high volume of low-quality reports.
Reporting a Vulnerability
Report submission method: Reports are accepted via electronic mail at [email protected].
Acceptable message formats: Acceptable message formats are plain text, rich text, and HTML. TLS 1.2 must be used as a secure message transport method.
Report details:
- Reports should provide a detailed technical description of the steps required to reproduce the vulnerability.
- A description of any non-public information that they are able to access as a result of the vulnerability.
- Include a description of any tools needed to identify or exploit the vulnerability.
- Images or videos, e.g., screen captures, and other documents may be attached to reports, and it is helpful to give attachments illustrative names.
- Reports may include proof-of-concept code that demonstrates exploitation of the vulnerability.
- Scripts or exploit code should be embedded into non-executable file types. All common file types and archives (e.g. txt, csv) can be processed, but executable code or macro-enabled documents cannot be accepted in submissions.
Personally Identifiable Information: Security researchers should make every effort to avoid using exploits that would compromise or exfiltrate PII. If while conducting security research authorized by this policy a security researcher accesses or exfiltrates PII, the vulnerability should be reported to the Commission immediately and the researcher should take reasonable steps to prevent further disclosure of the information. Vulnerability Reporters reporting a vulnerability that implicates PII shall take care not include in their report any PII accessed by the vulnerability.
Reporter’s choice of anonymity or providing contact information: Reports may be submitted anonymously or researchers may choose to provide their contact information, and any preferred methods or times of day to communicate, as they see fit. It is helpful to provide contact information, as the need arises to contact researchers to clarify reported vulnerability information or other technical interchange. Please do not send any additional PII beyond name and contact information when submitting a report.
No monetary compensation or endorsements: CFTC does not maintain a bug bounty program and will not endorse an organization that reports vulnerabilities to the Commission. Reporters will not receive payment for submitting vulnerabilities and, by submitting, reporters waive any claims to compensation.
Intellectual Property and Licensing: By submitting a report to the CFTC, researchers warrant that the report and any attachments do not violate the intellectual property rights of any third party, and the reporter grants the CFTC a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.
Disclosure
The CFTC is committed to timely correction of vulnerabilities. However, the agency recognizes that public disclosure of vulnerability in absence of a readily-available corrective action likely increases versus decreases risk. Accordingly, the reporting entity is encouraged to not share information about discovered vulnerabilities for 90 calendar days after receiving CFTC acknowledgement of the initial report. Some vulnerability remediation may take longer and coordination with the CFTC prior to disclosure is highly recommended. If you believe others should be informed of the vulnerability prior to the implementation of corrective actions, CFTC requires that you coordinate in advance with us.
The CFTC may share vulnerability reports with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. CFTC may reach out to researchers for additional information as requested by vendors. Names or contact data of security researchers or vendor POC’s will not be shared unless the security researcher has given their explicit permission.
Review
This policy will be reviewed annually, or every 2 years following when CISA updates BOD 20-01 to account for changes in the general cybersecurity landscape and incorporate additional best practices to receive, track, and report vulnerabilities identified by researchers.
Questions
Questions regarding this policy may be sent to [email protected]. The CFTC encourages security researchers to contact the agency for clarification on any element of this policy. Please contact the CFTC prior to conducting research if there is doubt whether a specific test method is inconsistent with or unaddressed by this policy. Suggestions for improving this policy are encouraged to be sent via [email protected].
[1] A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014 (“FISMA”). Id. § 3553(b)(2). Federal agencies are required to comply with these DHS-developed directives. Id. § 3554(a)(1)(B)(ii). DHS binding operational directives do not apply to statutorily defined “National Security Systems” or to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).