Public Vulnerability Disclosure Policy

Policy objectives

The Consumer Financial Protection Bureau’s (CFPB) Vulnerability Disclosure Policy facilitates the CFPB’s awareness of otherwise unknown system vulnerabilities. CFPB is committed to authorizing good faith security research, responding to valid vulnerability reports, promoting organizational transparency, and improving security. This Policy also supports federal efforts to standardize vulnerability reporting across all agencies. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered so that we can fix them and keep our information safe. This Policy describes what systems and types of research are covered by it, how to report vulnerabilities, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Applicable systems scope

The list of Bureau systems that are within the scope of this policy are listed below:

• Public website - www.consumerfinance.gov, consumerfinancialprotectionbureau.gov , exam.consumerfinance.gov, data.consumerfinance.gov
• Public website search - search.consumerfinance.gov
• Public beta website - beta.consumerfinance.gov, beta.cfpb.gov
• Misadventures in Money Management website - mimm.gov
• Public file server - files.consumerfinance.gov
• Complaint submission portals - complaint.consumerfinance.gov, portal.consumerfinance.gov
• Financial institution submission portal - extranet.cfpb.gov
• Tell Your Story portal - story.consumerfinance.gov
• Survey portal - surveys.consumerfinance.gov
• Inclusivity portal - inclusivity.consumerfinance.gov
• HMDA platform - ffiec.cfpb.gov, api.consumerfinance.gov
• VPN portal - work.cfpb.gov
• Mobile VPN portal - mobile.cfpb.gov
• Outlook Web Access - autodiscover.cfpb.gov, owa.cfpb.gov
• info.consumerfinance.gov
• api.cfpb.gov
• remote.cfpb.gov
• webservices.cfpb.gov
• es.consumerfinance.gov

Any service not expressly listed above, such as any connected services, are excluded from the scope of the Policy and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors also fall outside of this Policy’s scope and should be reported directly to the vendor according to their own vulnerability disclosure policies. If you aren’t sure whether a system is in scope or not, or it isn’t but you think it merits testing, please contact us at security@cfpb.gov to discuss. We anticipate increasing the scope of this Policy over time to include additional systems.

Guidelines

CFPB will not recommend or pursue legal action against anyone for security research activities that the CFPB concludes represents a good faith effort to follow this Policy. The CFPB deems such activity to be authorized.

Security researchers may utilize these guidelines below to help clarify the actions they may take and may not take in researching for vulnerabilities. Under this Policy, “security research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, data or privacy breaches, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly (see the Coordinated Disclosure section).
• Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (e.g., Personally Identifiable Information (PII), financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. A failure to adhere to this disclosure rule may result in Legal action.

Test methods

Security researchers shall:

• Immediately cease testing and notify us upon discovery of a vulnerability
• Immediately cease testing and notify us upon discovery of an exposure of nonpublic data
• Immediately notify us upon discovery of any exposure or disclosure of sensitive data, including PII
• Purge any stored CFPB nonpublic data upon reporting a vulnerability

Security researchers may:

• Temporarily view CFPB nonpublic information only to the extent necessary to document the presence of a potential vulnerability.

Security researchers shall not:

• Test any system other than those identified in the ‘Applicable Systems Scope’ section
• Disclose vulnerability information except as set forth in the Submitting a Vulnerability Report and Coordinated Disclosure sections
• Engage in physical testing of facilities or resources (e.g., office access, open doors, tailgating)
• Engage in social engineering (e.g., “vishing”)
• Send unsolicited electronic mail to CFPB users (e.g., “phishing” messages)
• Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks, or other tests that impair access to or damage a system or data
• Introduce malicious software
• Use a CFPB system to launch redirect or amplification attacks against other systems
• Test in a manner which could degrade the operation of CFPB systems; or intentionally impair, disrupt, or disable CFPB systems
• Test third-party applications, websites, or services that integrate with, or link to or from, CFPB systems
• Delete, alter, share, retain, or destroy CFPB data (to include sensitive data and nonpublic information¹), or render any CFPB data exposed by the vulnerability inaccessible
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on CFPB systems, or “pivot” to other CFPB systems
• Disclose any type of sensitive information (technical, financial, operational, regulatory, etc.) or any PII exposed or made accessible by the vulnerability to a third party²

Submitting vulnerability reports³

If you are a Security researcher and would like to submit a vulnerability report, please do so by sending an email to security@cfpb.gov with the following information. By providing these details the CFPB can triage and prioritize reports with greater accuracy. Submissions may be reported anonymously. The CFPB prefers that reports be submitted in English, if possible.

• The full website URL where the vulnerability was found
• The date and time of discovery
• A detailed description of the vulnerability and potential impact of exploitation
• Technical information security analysts can use to replicate the issue (e.g., screenshots offering a detailed description of the steps needed to reproduce the vulnerability)
• Any proof of concept code (if available)
  • We request that any scripts or exploit code be embedded into non-executable file types (e.g., .txt)
  • We can process all common file types and file archives, including zip, 7zip, and gzip
• Optional: Contact information if you authorize the Bureau to contact you for further technical details to analyze the weakness (Note: this step is optional. If you submit a vulnerability report via email without including contact information, we will assume it is an anonymous submission using a temporary email address. We will not acknowledge receipt or attempt to reply to these submissions.)

The CFPB prefers that email messages submitting vulnerability reports be encrypted. We can utilize opportunistic Transport Layer Security (TLS) encryption for both incoming and outgoing electronic mail. If you are unsure whether you can encrypt your message using your email client, contact us at security@cfpb.gov and we can provide a secure portal for you to communicate your report.

Coordinated disclosure

The CFPB is committed to the timely correction of reported vulnerabilities. However, we recognize that it may take time to validate and implement corrective actions depending on the nature of your discovery. Therefore, we require that you refrain from sharing information about discovered vulnerabilities for 180 calendar days after your submission. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us at security@cfpb.gov. We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share names or contact information for security researchers unless given explicit permission.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 3 business days, we will acknowledge that your report has been received.
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.