This policy governs vulnerability research and reporting for NIH systems and services under the HHS Vulnerability Disclosure Policy.

Report all security issues using GitHub's private vulnerability reporting feature.

Click "Report a vulnerability" on the Security Advisories tab. Do not open a public issue or report through email, Slack, or any other channel.

Your report will be received securely, kept confidential, and routed to the right people. See GitHub's documentation for how the process works.

Note: The HHS VDP also accepts reports at hhs.responsibledisclosure.com. For vulnerabilities in this repository or NIH systems hosted here, use the GitHub report link above so the responsible team is notified directly.

Please include:

• What the vulnerability is and its potential impact
• Where it was found
• Steps to reproduce (proof-of-concept scripts or screenshots are helpful)

Issued under the HHS VDP — Authorization.

Good faith research conducted under this policy is authorized. NIH and HHS will work with you to resolve issues quickly and will not pursue legal action related to your research.

Issued under the HHS VDP — Guidelines.

Authorized research means you:

• Notify us as soon as possible after discovering a real or potential security issue
• Avoid privacy violations, user experience degradation, production system disruption, and data destruction or manipulation
• Use exploits only to the extent necessary to confirm a vulnerability — do not exfiltrate data, establish access or persistence, or pivot to other systems
• Allow a reasonable amount of time to resolve the issue before public disclosure
• Do not compromise the privacy, safety, intellectual property, or financial interests of HHS/NIH personnel or third parties

If you discover a vulnerability or encounter any sensitive data (PII, financial, proprietary, or trade secrets), stop testing, report immediately via the GitHub private vulnerability report, and do not disclose the data to anyone else.

Issued under the HHS VDP — Scope.

nih.gov and all its subdomains are in scope. Vendor systems are out of scope — report those to the vendor directly.

Unsure if a system is in scope? Contact [email protected] before testing.

Issued under the HHS VDP — Rules of Engagement.

Must not:

• Test systems outside the scope above
• Disclose vulnerability information except as described in this policy
• Conduct physical testing, social engineering, or phishing
• Execute denial-of-service or resource exhaustion attacks
• Introduce malicious software
• Degrade, impair, disrupt, or disable HHS/NIH systems
• Test third-party applications or services that integrate with NIH systems
• Delete, alter, share, retain, destroy, or exfiltrate HHS/NIH data
• Use an exploit to establish access, persistence, or pivot to other systems

May:

• View or store NIH nonpublic data only as necessary to document a potential vulnerability

Must:

• Cease testing and immediately report any vulnerability or nonpublic data exposure via the GitHub private vulnerability report
• Purge any stored NIH nonpublic data upon reporting

Issued under the HHS VDP — Disclosure.

Do not share details about discovered vulnerabilities for 90 calendar days after receiving our acknowledgment. If you believe earlier disclosure is warranted, coordinate with us in advance.

Reports may be shared with CISA and affected vendors under their coordinated vulnerability disclosure process. We will not share your name or contact information without explicit permission.

Email [email protected] or see the HHS VDP.