The National Science Foundation (NSF) is an independent federal agency whose mission is "to promote the progress of science; to advance the national health, prosperity, and welfare; to secure the national defense..." NSF funds approximately 25 percent of all federally supported basic research conducted by America's colleges and universities.
Protecting information is integral to the NSF mission. NSF has a proactive structure to communicate about and implement NSF's Information Technology (IT) security and privacy program objectives and agency-wide initiatives. NSF aligns security and privacy program activities with industry standards and best practices. NSF is also committed to ensuring the security of the American public by protecting their information.
NSF welcomes the research and assessment of potential vulnerabilities from independent researchers. In compliance with the U.S. Department of Homeland Security Binding Operational Directive 20-01, Develop and Publish a Vulnerability Policy (September 2, 2020), the NSF Vulnerability Disclosure Policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities about NSF, and to convey NSF preferences in how to submit discovered vulnerabilities to NSF.
NSF's Vulnerability Disclosure Policy describes:
NSF encourages the public to use the processes described in this policy to report potential vulnerabilities in its systems.
Information submitted under this policy will be used for defensive purposes only - to mitigate or remediate vulnerabilities. If a researcher's findings include newly discovered vulnerabilities that affect all users of a product or service and not solely NSF, NSF may share the researcher's report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under CISA's coordinated vulnerability disclosure process. The researcher's name or contact information will not be shared without express permission.
If a researcher makes a good faith effort to comply with NSF's Vulnerability Disclosure Policy during his/her security research, NSF will consider the research to be authorized and NSF will work with the researcher to understand and resolve the issue quickly. NSF will not recommend or pursue legal action related to the research. Should legal action be initiated by a third party against the researcher for activities that were conducted in accordance with NSF's Vulnerability Disclosure Policy, NSF will make this authorization known.
Under this policy, a researcher is expected to comply with the following principles:
Once a researcher has established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), the researcher must stop their test, notify NSF immediately, and not disclose the data to anyone else.
The following test methods are not authorized:
NSF's Vulnerability Disclosure Policy applies to all NSF internet- accessible systems and services:
Vulnerabilities found in systems from NSF vendors fall outside the policy's scope and should be reported directly to the vendor according to the vendor's disclosure policy.
Researchers who discover a potential vulnerability that may compromise NSF data or services are asked to follow the notification process below:
Send notification of a potential vulnerability through NSF's security point of contact email address firstname.lastname@example.org. Please provide the following information:
Researcher submissions are acknowledged within three business days of submission.
Researchers are asked to refrain from public announcement or discussion of their potential vulnerability findings for 90 business days from submission date to allow investigation and mitigation by NSF IT specialists.
NSF will coordinate with the researcher as openly and as quickly as possible:
NSF IT specialists are responsible to begin investigation of publicly reported potential vulnerabilities within three business days of submission.
Questions regarding this policy may be sent to email@example.com. NSF also invites researchers to contact NSF with suggestions for improving this policy.