Smithsonian Vulnerability Disclosure Policy

Purpose

The Smithsonian Institution is committed to ensuring the security of the American public by protecting their information and the nation’s heritage.

This policy is intended to give security researchers and the general public (collectively, “researchers” or “you”) guidelines for conducting vulnerability discovery activities (also referred to as “research”) directed to the Smithsonian’s public facing website, and instructions for how to submit discovered vulnerabilities to the Smithsonian Institution’s Office of the Chief Information Officer (referred to herein as “SI OCIO” or “we” or “us”).

Authorized Activities

If you comply with this policy in conducting vulnerability discovery activities, SI OCIO will consider your research to be authorized. 

Overview

The Smithsonian Institution is a trust instrumentality of the United States, lawfully created by Congress in 1846 to carry out the responsibilities it undertook in accepting the bequest of James Smithson to “found at Washington, under the name of the Smithsonian Institution, an establishment for the increase and diffusion of knowledge among men.” 

This policy describes what systems and types of security vulnerability research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in Smithsonian IT systems. However, it is the policy of the Smithsonian to not offer compensation for vulnerability reporting.

Guidelines

  • Notify us as soon as possible, and no more than 72 hours after, you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence.
  • Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
  • Do not open, take, or delete files.
  • Do not escalate privileges or attempt to move laterally within the network.
  • Do not disrupt access to Smithsonian sites or offerings or introduce any malware in the course of testing.
  • Provide us a reasonable amount of time (typically 100 calendar days) to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information (PII) (also referred to as “personal information”), financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Method

Authorized security vulnerability research activities are limited to:

  • Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
  • Sharing information with, or receiving information from, SI OCIO about a vulnerability or an indicator related to a vulnerability.

The following activities are not authorized:

  • Network denial of service (DoS) tests, distributed denial-of-service (DDoS) tests, or other tests that impair or disrupt access to or damage a Smithsonian offerings, systems or data.
  • Physical testing (such as office access, open doors, or tailgating), social engineering (such as phishing or vishing), or any other non-technical vulnerability testing.
  • Command line access and/or persistence; pivots to other systems.
  • Accessing the content of any data stored within a Smithsonian system, except to the extent such is directly necessary to identify and prove a vulnerability exists.
  • Exfiltration or copying of Smithsonian data; do not open, take, or delete files.  Should you obtain SI data during their research, immediately coordinate with SI OCIO to ensure data is appropriately destroyed upon confirmation that the vulnerability is resolved.
  • Escalating privileges or attempting to pivot or move laterally within the network.
  • Intentional compromise of any person’s privacy or security, or that of the Smithsonian.
  • Publicly disclosing any details of a vulnerability, indicator of a vulnerability, or content of information rendered available by a vulnerability without consultation with us. If at any point you are unsure about whether to continue or begin a particular vulnerability research activity, coordinate with SI OCIO using the contact methods provided below before proceeding.

Scope

Any services not identified here are considered out of scope and are not authorized for testing.

The following systems and services are in-scope: https://www.si.edu. * This does not extend to any other subdomains of si.edu, even when linked to by pages on www.si.edu.

If you are unsure whether a service is included in scope or not, contact SI OCIO using the methods provided below.

Reporting a Vulnerability

If you find a vulnerability or indicator of a vulnerability, you must provide complete and accurate information about your finding to SI OCIO using the methods below.

If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Smithsonian, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports at https://www.si.edu/vulnerability-disclosure-intake-form. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.

By submitting your report, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against the Smithsonian related to your submission.

What We Request from You

In order to help us triage and prioritize submissions, we recommend that your reports:

  • Include the source and destination IP addresses, date and time of detection, and the type and description of the vulnerability discovered.
  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, the payload used in the test, or screenshots are helpful).
  • Provide remediation actions.
  • Submit the report in English, if possible.

What You Can Expect from Us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as may be feasible in the circumstances.

  • We will acknowledge that your report has been received within 5 business days.
  • To the best of our ability, we will confirm the existence of the vulnerability to you, and any issues or challenges that may delay its resolution.
  • We will maintain an open dialogue with you to discuss issues.
  • If researchers conduct vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, then (i) SI OCIO will not initiate or recommend any law enforcement or civil actions related to such activities, and (ii) in the event you notify us of any law enforcement or civil action brought in connection with research activities, SI OCIO will take reasonable steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Please be aware, that to the extent any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Smithsonian entity (e.g. other agencies, or companies, or individuals) those third parties may independently determine whether to pursue legal action or remedies related to such activities.

Modifications

The Smithsonian may modify the terms of this policy or terminate it at any time.

Questions

Questions regarding this policy may be sent to SI-VDP@si.edu. We also invite you to contact us with suggestions for improving this policy. Information is collected in accordance with the Smithsonian Institution’s Privacy Statement.