Table of Contents
1. Guidelines
2. Low Impact Vulnerabilities – Out of Scope
3. Mandatory Requirements
4. Scope
1. Guidelines
NYC Cyber Command appreciates your effort to help make New York City the most cyber resilient city in the world and we ask that you:
- Disclose vulnerabilities as soon as possible using the Vulnerability Disclosure Program submission form;
- Avoid activities that may result in the disruption of system availability, degrade user experience, or that may result in the damage or destruction of data;
- Do not submit false/test requests or applications for City services on City systems where legitimate applicant information is required. These forms are certified to their truthfulness and carry separate penalties when false information is deliberately submitted;
- Use exploits to the minimum extent needed to confirm a vulnerability. Do not conduct post-exploitation activities such as data exfiltration, establishing persistence, or pivoting;
- Immediately halt test activity and notify NYC Cyber Command via the Vulnerability Disclosure Program submission form if you identify sensitive information such as personally identifiable information (PII) or financial information. Sensitive information identified may be covered under other legal requirements, regulations, or safeguarding measures that supersede the protections and authority of the Vulnerability Disclosure Program and these rules of engagement.
2. Low Impact Vulnerabilities - Out of Scope
The following vulnerabilities are considered Out of Scope:
- Theoretical/unverified vulnerabilities including scan results
- Automated scan results
- Google Maps API keys
- Account/e-mail enumeration using brute-force attacks
- Valid user account/email enumeration not requiring brute-force will be considered
- Any low impact issues related to session management (i.e., concurrent sessions, session expiration, password reset/change log out, etc.)
- Bypassing content restrictions in uploading a file without proving the file was received
- Clickjacking/UI redressing
- Client-side application/browser autocomplete or saved password/credentials
- Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
- Directory structure enumeration (unless the fact reveals exceptionally useful information)
- Incomplete or missing SPF/DMARC/DKIM records
- Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate limiting protections
- Account compromises (especially admin) as a result of these issues will likely be considered VALID
- Lack of SSL or mixed content
- Leaking session cookies, user credentials, or other sensitive data will be reviewed on a case-by-case basis
- If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
- Login/Logout/Unauthenticated/Low-impact CSRF
- CSRF Vulnerabilities may be acceptable if they are of higher impact. Examples of low impact CSRF include: add/delete from cart, add/remove wishlist/favorites, nonsevere preference options, etc.
- Low impact Information disclosures (including Software version disclosure)
- Missing cookie flags
- Missing/enabled HTTP headers/methods which do not lead directly to a security vulnerability
- Reflected file download attacks (RFD)
- Self-exploitation (i.e., password reset links or cookie reuse)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- URL/open redirection
- Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e., jQuery outdated version leads to low impact XSS)
- Valid bugs or best practice issues that are not directly related to the security posture of the client
- Vulnerabilities affecting users of outdated browsers, plugins, or platforms
- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e., Self-XSS)
- Self-XSS for a persistent/stored XSS will be considered. The only circumstances under which we will not require proof of impact to multiple users is for Persistent/Stored XSS in cases where only one set of credentials is available to the researcher and other users cannot be tested. We will require documentation or evidence reasonably proving the functionality is available to other users/backend team/admin for the report to be considered.
- Any type of XSS that requires a victim to press an unlikely key combination is NOT in scope (i.e., alt+shift+x for payload execution)
Additional specific vulnerability types considered out of scope due to low impact:
- IIS tilde file and directory disclosure
- SSH username enumeration
- WordPress username enumeration
- SSL weak ciphers
- CSV injection
- PHP Info
- Server-Status if it does not reveal sensitive information
- Snoop info disclosures
3. Mandatory Requirements
The following types of research testing methods are prohibited and are in violation of the City of New York’s Vulnerability Disclosure Program and protections:
- Submitting false/test requests or applications for City services on City systems where legitimate applicant information is required. These forms are certified to their truthfulness and carry separate penalties when false information is deliberately submitted;
- Security testing on operational technology (OT) / industrial control systems (ICS) managed by the City of New York, but we welcome reports of information security concerns;
- Network denial of service (DoS or DDoS) tests;
- Social engineering (e.g., phishing, vishing); and
- Any other non-technical vulnerability testing.
Any testing that deliberately results in the following is also prohibited by the Program:
- Privacy violations;
- Degradation of user experience;
- Disruption to production systems;
- Destruction, manipulation, or exfiltration of data;
- Establishment command line access and / or persistence; and
- Access to out-of-scope systems.
4. Scope
The following are in-scope for the City of New York’s Vulnerability Disclosure Program:
- All systems within NYC public IP space
- All websites and web applications belonging to the nyc.gov and cityofnewyork.us domains
- All websites and web applications where the Vulnerability Disclosure Program participation notification appears