Welcome to the Federal Reserve Responsible Disclosure page

By submitting a vulnerability to the Federal Reserve through ResponsibleDisclosure.com, you agree to the Terms of Service.

Get Started

Responsible Disclosure Policy:

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, ResponsibleDisclosure.com will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to responsibledisclosure.com

Federal Reserve Disclosure Policy

The Federal Reserve commits to acknowledging disclosed vulnerabilities promptly and working with the security research community to mitigate or remediate weaknesses.

The Federal Reserve asks participating security researchers to:

Provide the Federal Reserve reasonable time to fix reported issue before disclosing issues to outside parties
Not publicly disclose vulnerabilities or related details without explicit written authorization from the Federal Reserve
Not include sensitive or identifying data in any public disclosures

Additional policy details may be found in the root-level /.well-known/security.txt file on some Federal Reserve domains.

Program Rules

Avoid mass scanning Federal Reserve domains. Offending IP addresses may be blocked.

Please provide detailed reports of the process you used and vulnerabilities identified with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, the Federal Reserve only triages the first report that was received (provided it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Do not engage in social engineering (e.g., phishing, vishing, smishing).

Avoid violating individual privacy rights, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Do not exploit beyond what is necessary to demonstrate vulnerability presence.

Avoid accessing content of communications, data, or information on Federal Reserve information systems except to the extent that information directly relates to the vulnerability and is necessary to prove the vulnerability exists.

Do not store or share non-public data obtained through testing except to the extent necessary to communicate the finding to the Federal Reserve.

Do not submit a high-volume of low-quality reports.

If you are uncertain whether to continue testing, please engage with our team at frrd@responsibledisclosure.com

Typical Vulnerabilities Accepted

OWASP Top 10 vulnerability categories
Other vulnerabilities with demonstrated impact

Typical Out of Scope

Theoretical vulnerabilities
Informational disclosure of non-sensitive data
Low impact session management issues
Self XSS (user defined payload)

For a full list of program scope please visit the Scope and Rules of Engagement page.

Responsible Disclosure Guidelines

Adhere to all legal terms and conditions outlined at responsibledisclosure.com
Work directly with ResponsibleDisclosure.com on vulnerability submissions
Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
Do not engage in social engineering or phishing of customers or employees
Do not request compensation for time and materials or vulnerabilities discovered

Safe Harbor

We understand the reluctance some researchers have to share information about vulnerabilities they find because of the potential for criminal or civil liability. To encourage responsible research and disclosure of security vulnerabilities, we do not intend to assert claims under the Computer Fraud and Abuse Act or claims of trespass or similar legal theories against researchers who undertake in good faith to test our systems for vulnerabilities and who bring their findings promptly to our attention. You are expected, as always, to comply with all laws applicable to you and not to disrupt or compromise any data beyond what this VDP permits.

We reserve the right in our sole discretion to determine whether your actions are taken in good faith, are consistent with this policy, or are an inadvertent violation. Please contact us before engaging in conduct that you think may be inconsistent with or unaddressed by this policy. Your efforts to proactively contact us before engaging in any action inconsistent with or unaddressed by this policy will be an important factor in our determination.

Thank you for helping keep the Federal Reserve and our users safe!