The NASA Mission is to drive advances in science, technology, aeronautics, and space exploration to enhance knowledge, education, innovation, economic vitality and stewardship of the Earth. A great deal of NASA work leverages information technology to capture, interpret, and appropriately share scientific knowledge in the furtherance of its Missions and Programs. NASA is committed to protecting the confidentiality (where appropriate), integrity, and availability of its information and information systems.
NASA recognizes that external vulnerabilities can be discovered by anyone at any time and has issued this policy in order to provide clear guidelines to security researchers so that they feel comfortable reporting vulnerabilities they have discovered in good faith.
If you believe you have found a security vulnerability in any of NASA-owned repository that meets NASA's criteria of a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.
NASA accepts vulnerability reports via e-mail to vulnerability-report@nasa.gov. Reports may be submitted anonymously.
This reporting mechanism is not intended for use by NASA employees, contractors, and others with authorized IT access at NASA. NASA personnel should use NASA-internal IT support and reporting mechanisms rather than this program.
In order to help us triage and prioritize submissions, NASA recommends that vulnerability reports:
• Describe the vulnerability, where it was discovered (location of affected source code), and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Any special configuration required to reproduce the issue.
NASA prefers all communications to be in English.
NASA follows the principle of Vulnerability Disclosure Policy.
This vulnerability disclosure policy facilitates NASA’s awareness of otherwise unknown vulnerabilities. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery and disclosure activities to help NASA meet its objectives, and to convey how to submit discovered vulnerabilities to NASA.
This policy further describes:
• What systems and types of research are covered under this policy,
• General guidelines for demonstrating good faith,
• How to submit vulnerability reports, and
• What to expect following a vulnerability report.
It is advised to thoroughly read and understand NASA's Vulnerability Disclosure Policy before proceeding to report any issue to NASA.