基础,基础
Authorization
Guidelines
Notify us as soon as possible after you discover areal or potential security issue。 Make every effort to avoid privacy violations,degradation of user experience,disruption to production systems,and destruction or manipulation of data。 Only use exploits to the extent necessary to confirm avulnerability’s presence.Do not use an exploit to compromise or exfiltrate data,establish command line access and/or persistence,or use the exploit to“pivot”to other systems。 Provide us a reasonable amount of time to resolve the issue before you disclose it publicly。 You do not intentionally compromise the privacy or safety of HHS personnel(e.g.civilian employees or military members), or any third parties。 You do not intentionally compromise the intellectual property or other commercial or financial interests of any HHS personnel or entities,or any third parties。
Scope
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
车辆结束
安全researchers must not:
测试any system other than the systems set forth in the‘Scope’section above, disclose vulnerability information except as set forth in the‘Reporting a Vulnerability’and‘Disclosure’sections below, 绝缘材料或resources, 自然engineering, send unsolicited electronic mail to HHS users,including“phishing”messages, execute or attempt to execute“Denial of Service”或“Resource Exhaustion”attacks, introduce malicious software, HHS systems;or intentionally impair,disrupt,or disable HHS systems, 测试third-party applications,websites,or services that integrate with or link to or from HHS systems, delete,alter,share,retain,or destroy HHS data,or render HHS data inaccessible,or, use an exploit to exfiltrate data,establish command line access,establish apersistent presence on HHS systems,or“pivot”to other HHS systems。
安全researchers may:
View or store HHS nonpublic data only to the extent necessary to document the presence of a potential vulnerability。
安全researchers must:
cease testing and notify us immediately upon discovery of a vulnerability, cease testing and notify us immediately upon discovery of an exposure of nonpublic data,and, purge any stored HHS nonpublic data upon reporting a vulnerability。
Reporting a Vulnerability
Adhere to all legal terms and conditions outlined at https://www.hhs.gov/vulnerability-disclosure-policy and the HHS Responsible Disclosure 终端服务 . Describe the vulnerability,where it was discovered,and the potential impact of exploitation。 Offer a detailed description of the steps needed to reproduce the vulnerability(proof concept scripts or screenshots are helpful)。