Welcome to the U.S. Department of Health and Human Services Responsible Disclosure
Get Started



Introduction

The Department of Health and Human Services (HHS) is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and HHS will not recommend or pursue legal action related to your research.

Guidelines

Under this policy, “research” means activities in which you:

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

For a full list of program scope please visit the HHS Vulnerability Disclosure Policy.

Typical Vulnerabilities Accepted:

Typical Out of Scope:

For a full list of program scope please visit the Responsible Disclosure details page.

Responsible Disclosure Guidelines: