Vulnerability Disclosure Policy (VDP)

The State of New Jersey is committed to protecting its information technology resources, securing personal information, safeguarding privacy, and maintaining the physical safety of individuals. The Vulnerability Disclosure Policy (VDP) is established to promote good-faith security research, enhance the resiliency of the state's online services, and facilitate the timely identification and remediation of vulnerabilities in its information systems. This policy aims to provide clear guidelines for security researchers to conduct vulnerability discovery activities and to ensure that discovered vulnerabilities are reported and addressed in a coordinated and responsible manner.
This policy describes what systems and types of research are covered under this policy how to submit vulnerability reports.

Key Terms

Non-Public Data - data that is not intended for public distribution.
Security Testing - Process to determine that an information system protects data and maintains functionality as intended.
Sensitive Information - Information that must be protected from unauthorized access or disclosure.
Vulnerability - A weakness in a system, application, or network that is subject to exploitation or misuse.

This policy is limited to the public facing information systems, web applications, and other assets owned or controlled by the following list of New Jersey state executive branch entities.

• Board of Public Utilities
• Cannabis Regulatory Commission
• Casino Control Commission
• Civil Service Commission
• Delaware River Basin Commission
• Department of Agriculture
• Department of Banking & Insurance
• Department of Children and Families
• Department of Community Affairs
• Department of Environmental Protections
• Department of Human Services
• Department of Labor & Workforce Development
• Department of Law and Public Safety
• Department of Military and Veterans Affairs
• Department of State
• Department of Transportation
• Department of Treasury
• Division of State Police
• Election Law Enforcement Commission
• Higher Education Student Assistance Authority
• Highlands Council
• Housing and Mortgage Finance Agency
• Lottery Commission
• Motor Vehicle Commission
• New Jersey Cybersecurity and Communications Integration Cell
• New Jersey State Parole Board
• Office of Administrative Law
• Office of Emergency Management
• Office of Homeland Security and Preparedness
• Office of Information Technology
• Office of the Comptroller
• Office of the Public Defender
• Pinelands Commission

Vulnerabilities found in information systems, web applications, and other assets owned or controlled by any entity not listed above, to include those owned or controlled by vendors of the above listed entities fall outside of this policy’s scope and should be reported directly to the appropriate system owner or vendor according to their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact the njccic@cyber.nj.gov before starting your research.

A. Authorized Vulnerability Discovery and Reporting Guidelines

The following vulnerability discovery and reporting guidelines must be adhered to in order for the activity to be considered authorized:

1. Notify us as soon as possible after you discover a real or potential security issue;
2. Only test to the extent necessary to confirm a vulnerability in systems identified within the ‘Scope’ section above. Do not compromise or exfiltrate data, establish command line access and/or persistence, or pivot to other systems;
3. Once you've established that a vulnerability exists or encounter any sensitive information (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else;
4. Report any and all security vulnerabilities you discover to the New Jersey Cybersecurity and Communications integration Cell via the secure Vulnerability Disclosure web form at https://www.cyber.nj.gov/vdp/report;
5. Keep confidential any information about discovered vulnerabilities for at least 120 calendar days after you have notified the NJCCIC;
6. Do not submit a high volume of low-quality reports; and
7. If at any point you are uncertain whether to continue testing, please contact the NJCCIC - njccic@cyber.nj.gov or 1.833.4-NJCCIC.

B. Prohibited Vulnerability Discovery Activities and Tests

The following activities are prohibited:

1. Network denial of service (DoS or DDoS) tests or other tests that may impair access to or damage a system or data;
2. Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing;
3. Degradation of services, network, software, or hardware performance;
4. Disruption of a network, software or hardware services;
5. Any form of manipulation to the integrity of any production or public facing data, information or images;
6. Delete, alter, share, retain, or destroy State of New Jersey data, or render State of New Jersey data inaccessible;
7. Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on State of New Jersey systems, or “pivot” to other State of New Jersey systems;
8. Test any system other than the systems set forth in the ‘Scope’ section above; and
9. Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below.

C. Security researchers may:

View or store State of New Jersey nonpublic data only to the extent necessary to document the presence of a potential vulnerability. 

D. Security researchers must:

1. Cease testing and notify us immediately upon discovery of a vulnerability;
2. Cease testing and notify us immediately upon discovery of an exposure of nonpublic data; and
3. Purge any stored State of New Jersey nonpublic data upon reporting a vulnerability.

E. Reporting a Vulnerability

We accept vulnerability reports via our secure web reporting form -https://www.cyber.nj.gov/vdp/report. Reports may be submitted anonymously.  As we do not support PGP-encrypted emails at this time, please use the web form to securely submit reports.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely the State of New Jersey, we may share your report with the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

In order to help us triage and prioritize submissions, we recommend that your reports adhere to the terms and conditions outlined in this policy.

1. Describe the vulnerability, where it was discovered, and the potential impact of exploitation; and
2. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful). Descriptions should include the method used to identify the vulnerability, and instructions for reproduction should be technical. Please include the date and time of the discovery to assist in identifying the events in log reports.

F. Disclosure

The State of New Jersey is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 120 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

We may share vulnerability reports with the CISA, as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.

For Vulnerability Disclosure Policy Program Acknowledgments please visit https://www.cyber.nj.gov/vdp/acknowledgements.

Questions regarding this policy may be sent to njccic@cyber.nj.gov. We also invite you to contact us with suggestions for improving this policy.