Note: Single-source report; awaiting corroboration.
The Department of Energy (DOE) has published a Vulnerability Disclosure Policy as part of DOE Order 205.1D. This policy defines a structured process that allows members of the public acting in good faith, referred to as Reporters, to submit information about potential security vulnerabilities associated with DOE websites, systems, or digital services that are publicly accessible over the internet.
The Vulnerability Disclosure Program aims to enhance DOE's cybersecurity posture by formalizing procedures for receiving, evaluating, and remediating identified vulnerabilities. It also promotes transparency and communication between DOE and external parties, setting minimum requirements for departmental elements, program offices, and associated sites.
According to the policy, the scope of the program is determined by the Office of the Chief Information Officer (OCIO) in accordance with relevant laws and directives. The OCIO works with Heads of Departmental Elements to identify which systems and services are under their responsibility and included in the program. Initially, DOE has identified at least one publicly accessible website, system, or digital service as in scope.
The policy supports federal cybersecurity mandates, including the Office of Management and Budget Memorandum 20-32 and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency Binding Operational Directive 20-01, both of which require agencies to develop and publish vulnerability disclosure policies.