Vulnerability Disclosure Policy
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at United States Postal Service® (USPS®) web properties, and submitting discovered vulnerabilities to USPS through HackerOne.com.
By clicking Submit a Report, you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to USPS information systems, and consent to having the contents of the communication and follow-up communications stored on a U.S. Government information system.
Overview
USPS provides critical services by maintaining a global communication and commerce network. We take our mission seriously and recognize the need to maintain vigilance over our cyber risk to protect the services we provide and the data we hold.
USPS has created a vulnerability disclosure program because we believe your feedback will help us protect the services we provide and keep private data private. We are excited to hear from you on what we need to do to improve. Information submitted to USPS under this policy will be used for enhancing cybersecurity accessible via our network—to mitigate or remediate vulnerabilities in our networks or applications.
Review, understand, and agree to the following terms and conditions before conducting any testing of USPS networks and before submitting a report. If there is any ambiguity over how to approach a situation that you encounter, please use “do no harm” as your guiding principle.
Scope
Any public-facing website owned, operated, or controlled by USPS, including web applications hosted on those sites.
How to Submit a Report
Provide a detailed summary of the vulnerability, including:
- Type of issue
- Product, version, and configuration of software containing the bug
- Step-by-step instructions to reproduce the issue
- Proof-of-concept
- Impact of the issue
- Suggested mitigation or remediation actions, as appropriate
On our side, we will be looking to replicate your findings and remediate based on potential impact.
Guidelines
USPS will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
- Your activities are limited exclusively to:
- (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- (2) Sharing with, or receiving from, USPS information about a vulnerability or an indicator related to a vulnerability.
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on USPS information system(s)—except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not intentionally compromise the privacy, confidentiality, or safety of USPS personnel or any third parties.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from USPS.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of USPS personnel or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
- You submit any known or recommended remediations or mitigations with your report.
Out of Scope
Types of activities that are not allowed are:
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Access of any third-party systems including those linked to USPS systems
What You Can Expect From Us
We take every disclosure seriously and very much appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
USPS provides critical communication and commerce infrastructure for the U.S. economy and the world. We take our responsibility to protect our network seriously and will give your feedback due thought and consideration.
USPS remains committed to coordinating with the researcher as openly and quickly as possible. This includes:
- Within 2 business days, HackerOne will acknowledge receipt of your report. USPS’s security team will investigate the report and may contact you for further information.
- To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.
- We want researchers to be recognized publicly for their contributions, if that is the researcher’s desire. We will seek to allow researchers to be publicly recognized whenever possible. However, use of the USPS’s name or brand will only be authorized with express written permission. Public disclosure of vulnerabilities will only be authorized at the express written consent of USPS.
- Information submitted to USPS under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.
Legal
USPS does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy. If you engage in any activities that are inconsistent with this policy, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-USPS entity (e.g., other federal departments or agencies; state, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-USPS third party may independently determine whether to pursue legal action or remedies related to such activities.
If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) USPS will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than USPS, USPS will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.
USPS may modify the terms of this policy or terminate the policy at any time.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.