The Nuclear Regulatory Commission (NRC) is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. The NRC Vulnerability Disclosure Policy or VDP is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
The NRC Vulnerability Disclosure Policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
If you aren't sure whether a system or endpoint is in scope or not, refer to the NRC VDP or contact us at SOC-VDP@nrc.gov before continuing your research.
Reporting a vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely the Nuclear Regulatory Commission, we may share your report with the Department of Homeland Security / Cybersecurity and Infrastructure Security Agency (DHS/CISA), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
We accept vulnerability reports via SOC-VDP@nrc.gov. Acceptable message formats are plain text, rich text, and HTML. We will only accept .TXT, .GIF, and .JPG/JPEG file types as message attachments. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within five (5) business days.
What we would like to see from you:
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Submit the information in English, if possible.
Questions regarding this policy may be sent to SOC-VDP@nrc.gov. We also invite you to contact us with suggestions for improving this policy.