Data & Insights supports public sector organizations in improving their transparency, citizen service, and data-driven decision-making. We, therefore, take the security of our systems extremely seriously and value the role of the security researcher community in our efforts. The disclosure of security vulnerabilities by security researchers helps us to ensure the security and privacy of our users' data.
To manage the risk of outages or performance degradation related to vulnerability testing, we have introduced new vulnerability testing guidelines. These guidelines apply to all vulnerability testing activity against any Data & Insights-powered site.
First and foremost, please note that you will be performing a test against a production environment!
- Limit the use of automated scanners and aggressive scripts.
- All testing should be limited to 0700-1800 PDT (GMT -7). No testing is permitted outside of these hours.
- If you suspect a Denial-of-Service or memory starvation attack is possible, DO NOT ATTEMPT THE ATTACK. Please report it, and we'll try it during our next scheduled maintenance window.
- If you are able to compromise any datasets or accounts to the point where you would be able to make modifications, DO NOT DO SO. Let us know and we will create a test asset for you try to the changes on.
The customer conducting security testing may only target their own sites on the Data & Insights platform.
The following elements must be explicitly excluded from the scope of any vulnerability testing activity:
- Data & Insights-powered sites of other customers.
- Any services hosted by third-party providers that are incorporated into the platform (e.g. status.io, SendGrid, Airbrake, Google Analytics, etc.)
- AWS infrastructure (e.g. s3.amazon.com).
Forbidden Testing Activity
- All forms of load testing, Denial-of-Service attack.
- All forms of brute-force attacks, including user credentials or URL guessing.
Please report any findings to firstname.lastname@example.org and CC your Account Manager or Customer Success Manager on the submission.
If any data is retrieved as part of the test exercise, the artifact/proof of the vulnerability must be stored securely and deleted once it is no longer necessary. Please do not include any sensitive information, if it was discovered during the research, into the vulnerability report.
Notification of the Automated Testing Activity
We require at least two business days' notice of any planned automated testing activity against the platform. See our hours of operation here.
Communication should include the following details:
- start and end date of planned testing activity;
- test targets (a list of domains in scope);
- the range of IP addresses from which the requests will be coming in;
- scanning tools in use;
- direct contact information (email and phone number) of the responsible person on the executing side.
This information should be emailed to email@example.com at least two business days in advance of testing.
Communication with Third Parties
It is the customer's responsibility to communicate these testing guidelines to any third parties which are performing security assessments on the customer's behalf.
Please email our security team at firstname.lastname@example.org if you have any questions about the vulnerability testing process.