Welcome to The City of New York Vulnerability Disclosure Program
By submitting a vulnerability to The City of New York through ResponsibleDisclosure.com, you agree to the Terms of Service.
Get Started


Introduction:

The Office of Technology and Innovation (OTI) is dedicated to leveraging technology to better the lives of New Yorkers. As part of our mission to enhance the City's cyber resilience, NYC Cyber Command has partnered with Synack to establish a Vulnerability Disclosure Program (VDP) for IT developers and security researchers to identify vulnerabilities in City-owned websites and systems and responsibly disclose them. This program provides guidelines, rules of engagement, and a secure channel for vulnerability submissions, emphasizing the importance of not publicly disclosing the vulnerabilities.

The scope and rules of engagement (ROE) describe the systems and type of research that are permitted under VDP, how and where to submit vulnerabilities, and asks researchers to not publicly disclose submitted vulnerabilities.

Vulnerability Disclosure Policy:

This page is for security researchers interested in reporting security vulnerabilities.

The details within your request form will be submitted to ResponsibleDisclosure.com (operated by the City’s independent third-party contractor, Synack). If you have reported an issue determined to be within program scope and to be a valid security issue, ResponsibleDisclosure.com will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by ResponsibleDisclosure.com through their platform; accordingly, you must accept the ResponsibleDisclosure.com terms of service if you wish to proceed. All queries are to be directed to ResponsibleDisclosure.com and managed exclusively through the ResponsibleDisclosure.com online portal.


Typical Vulnerabilities Accepted:



Typical Out of Scope:

For a full list of program scope and rules of engagement (ROE) visit the Vulnerability Disclosure Program details page.


Vulnerability Disclosure Guidelines: