Vulnerability Disclosure Program

The Anne Arundel County Office of Information Technology (OIT) is committed to ensuring the security of the public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

You must comply with all applicable Federal, State, and Local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

Anne Arundel County does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law.  If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Anne Arundel County entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Anne Arundel County third party may independently determine whether to pursue legal action or remedies related to such activities.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) Anne Arundel County will consider that research to be authorized, (2) will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (3) in the event of any law enforcement or civil action brought by anyone other than Anne Arundel County, Anne Arundel County will communicate as appropriate, in the absence of any legal restriction on Anne Arundel County’s ability to so communicate, that your activities were conducted pursuant to and in compliance with this policy.

Anne Arundel County requests that security researchers make every effort to:

• Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Notify Anne Arundel County as soon as possible after you discover a real or potential security issue.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide Anne Arundel County a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.
• Hold Confidential Information in strict confidence, to protect such Confidential Information from unauthorized use or disclosure, to not disclose such Confidential Information to any third party including the public, to not use such Confidential Information for any purpose outside the scope of participating in Anne Arundel County’s Vulnerability Disclosure Program, and to notify Anne Arundel County immediately upon discovery of any loss or unauthorized disclosure of Confidential Information.
• Once you’ve established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify Anne Arundel County immediately, and not disclose this data to anyone else.

The following test methods are NOT authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
• Degradation of services, network, software, or hardware performance.
• Disruption of a network, software or hardware services.
• Any form of manipulation to the integrity of any production or public facing data, information or images.
• Brute force attacks against login interface.
• Any attack or vulnerability that hinges on a user’s computer first being compromised.
• Previously known vulnerable libraries without a working proof of concept.

This policy applies to the following systems and services listed below.

• *.aacounty.org/*

The following sites subdomains are restricted from active vulnerability discovery, and are considered out-of-scope for the VDP program:

• None

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.  Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at itsecurity@aacounty.org.

Please use the form below to report security vulnerabilities to Anne Arundel County through our Hackerone partner portal.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Anne Arundel County related to your submission.  

If you have any questions regarding Anne Arundel County’s Vulnerability Disclosure Program please contact us at itsecurity@aacounty.org.