The U.S. Small Business Administration (SBA) takes seriously our responsibility to protect the public’s information, including financial and personal information, from unwarranted disclosure. However, as an agency with extensive citizen-facing data collection requirements, the risk of disclosure is real.
To help minimize that risk, and in accordance with the U.S. Department of Homeland Security (DHS) Binding Operational Directives (BODs), SBA encourages cybersecurity researchers to report vulnerabilities that they have discovered so that SBA can take appropriate action to fix those vulnerabilities and keep our stakeholders’ information safe.
This notification describes what systems and types of research are covered under this policy, how to report vulnerabilities, and the period we ask cybersecurity researchers to wait before publicly disclosing vulnerabilities.
We ask that cybersecurity researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- Only use exploits to the extent necessary to confirm a vulnerability. This includes not using an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Once it is confirmed that a vulnerability exists or gaining access to any of the sensitive data outlined below, stop the test, and notify us immediately.
- Keep confidential any information about discovered vulnerabilities for a minimum of (90) calendar days after the cybersecurity researcher has notified SBA through the process described herein
This policy applies to the following systems:
- sba.gov and all subdomains
- sbir.gov and all subdomains
- business.gov and all subdomains
- nwbc.gov and all subdomains
Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Vulnerabilities found in non-federal systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If cybersecurity researchers are not sure whether a system or endpoint is in scope or not, contact CISO@sba.gov before starting research.
If the cybersecurity researcher encounters any of the below on our systems while testing within the scope of this policy, stop the test and notify us immediately:
- Personally Identifiable Information (PII)
- Financial information (e.g., credit card or bank account numbers)
- Proprietary information or trade secrets of any party
The following test types are not authorized:
- User interface bugs or typos
- Network denial of service (DoS or DDoS) tests
- Physical access testing (office access, open doors, tailgating)
- Social engineering such as phishing or any other non-technical vulnerability testing
SBA will not pursue civil action for accidental, good faith violations of its policy or initiate a complaint to law enforcement for unintentional violations. SBA considers activities conducted consistent with the policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against a party who complied with the vulnerability disclosure policy, SBA will take steps to make it known, either to the public or to the court, that the individual’s actions were conducted in compliance with the policy.
Disclosure of vulnerabilities is voluntary. In no case shall disclosure of vulnerability information to the SBA constitute a contractual or any other type of relationship with SBA. By submitting a vulnerability, the cybersecurity researcher must expressly acknowledge that, “I have no expectation of payment for these services and I expressly waive any future pay claims against the U.S. government related to the submission.”
Reporting a vulnerability
The cybersecurity researcher should submit any vulnerability reports to the SBA vulnerability intake portal.
Reports should include the following details:
- Description of the location and potential impact of the vulnerability
- Date and time that the vulnerability test was executed
- A detailed description of the steps required to reproduce the vulnerability. Proof of concept scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials needed to reproduce the issue
Please keep vulnerability reports current by sending any new information to CISO@sba.gov as it becomes available. To the extent possible reports should be encrypted.
After review, SBA may share some vulnerability data with the Cyber Emergency Response Team (US-CERT), as well as any affected vendors or open source projects.
While SBA does accept anonymous submissions, researcher anonymity may limit SBA’s ability to collaborate on remediation efforts.
SBA is committed to continually remediating vulnerabilities and disclosing the details of those vulnerabilities when fixes are implemented. SBA further believes that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software and applications better is to share such remediations.
However, disclosure of a vulnerability in the absence of a timely remediation increases risk to our stakeholders’ data, and so we ask cybersecurity researchers to refrain from sharing SBA’s vulnerability information with others while we work on our remediation approach. If others should be informed of the vulnerability before the appropriate remediation is available, please let us know so we can coordinate.
SBA may want to coordinate a public notification with a cybersecurity researcher to be published simultaneously with the remediation, but cybersecurity researchers may self-disclose if they prefer.
SBA does not publish information about a cybersecurity researcher without his/her permission. In some cases, SBA may have sensitive information that must be redacted from public disclosure, so cybersecurity researchers must obtain approval from SBA before self-disclosing. Failing to do so undermines the good faith sentiment that this policy strives to achieve.