As a U.S. Government agency, the General Services Administration (GSA) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure.
Software developed by the U.S. General Services Administration (GSA) is subject to the GSA Vulnerability Disclosure Policy.
Please consult our policy for:
- How to submit a report if you believe you have discovered a vulnerability.
- GSA's coordinated disclosure policy.
- Information on how you may conduct security research on GSA developed software and systems.
- Important legal and policy guidelines.
Please note that only certain branches are supported with security updates.
| Version (Branch) | Supported |
|---|---|
| main | ✅ |
| other | ❌ |
When using this code or reporting vulnerabilities please only use supported versions.
Security researchers shall:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must stop your test and notify us immediately.
- Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified GSA. For details, please review Coordinated Disclosure.