Introduction:
The Office of Technology and Innovation (OTI) is dedicated to leveraging technology to better the lives of New Yorkers. As part of our mission to enhance the City's cyber resilience, NYC Cyber Command has partnered with Synack to establish a Vulnerability Disclosure Program (VDP) for IT developers and security researchers to identify vulnerabilities in City-owned websites and systems and responsibly disclose them. This program provides guidelines, rules of engagement, and a secure channel for vulnerability submissions, emphasizing the importance of not publicly disclosing the vulnerabilities.
The scope and rules of engagement (ROE) describe the systems and type of research that are permitted under VDP, how and where to submit vulnerabilities, and asks researchers to not publicly disclose submitted vulnerabilities.
Vulnerability Disclosure Policy:
This page is for security researchers interested in reporting security vulnerabilities.
The details within your request form will be submitted to ResponsibleDisclosure.com (operated by the City’s independent third-party contractor, Synack). If you have reported an issue determined to be within program scope and to be a valid security issue, ResponsibleDisclosure.com will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by ResponsibleDisclosure.com through their platform; accordingly, you must accept the ResponsibleDisclosure.com terms of service if you wish to proceed. All queries are to be directed to ResponsibleDisclosure.com and managed exclusively through the ResponsibleDisclosure.com online portal.
Typical Vulnerabilities Accepted:
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
Typical Out of Scope:
- Theoretical/unverified vulnerabilities including scan results
- Informational disclosure of non-sensitive data
- Low impact session management issues
- Self XSS (user defined payload)
- Testing of operational technology (OT) / industrial control systems (ICS) belonging to The City of New York
For a full list of program scope and rules of engagement (ROE) visit the Vulnerability Disclosure Program details page.
Vulnerability Disclosure Guidelines:
- Do not submit false/test requests or applications for City services on City systems where legitimate applicant information is required. These forms are certified to their truthfulness and carry separate penalties when false information is deliberately submitted.
- Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.com
- Work directly with ResponsibleDisclosure.com on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity, or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request compensation for time and materials or vulnerabilities discovered