Vulnerability Disclosure Policy

Speeches Shim


The U.S. Agency for International Development (USAID) is committed to safeguarding our systems and sensitive information from unauthorized disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

It describes what systems and types of security research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage security researchers to contact us to report potential vulnerabilities identified in USAID systems. For reports submitted in compliance with this policy, USAID will acknowledge receipt within 5 business days; endeavor to timely validate submissions; implement corrective actions, if appropriate; and inform researchers of the disposition of reported vulnerabilities.


If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and will work with you to understand and resolve the issue quickly, and USAID will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.


Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue. This includes but is not limited to the discovery of a vulnerability and / or the exposure of nonpublic data.
  • Purge any stored USAID nonpublic data upon reporting a vulnerability.
  • Do not delete, alter, share, retain, or destroy USAID data, or render USAID data inaccessible, and do not disclose any personally identifiable information encountered to a third party.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not introduce malicious software.
  • Disclose vulnerability information as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly (as set forth below).
  • Do not submit a high volume of low-quality reports.
  • Once you’ve established that a vulnerability exists or encounter any sensitive/nonpublic data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Last updated: February 22, 2021

Share This Page