Welcome to Department of Energy Responsible Disclosure
By submitting a vulnerability to the Department of Energy through ResponsibleDisclosure.com, you agree to the Terms of Service.
Get Started


The Department of Energy (DOE) is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. As such, the DOE has created a Vulnerability Disclosure Program and Policy to give security researchers clear guidelines for conducting vulnerability discovery activities on DOE systems and websites and to convey the DOE’s preferences in how to submit discovered vulnerabilities to the Department.

The Department’s program, and the rules of engagement described herein, describe what systems and types of research are covered under this program, how to submit vulnerability reports, and asks that reporters refrain from publicly disclosing submitted vulnerabilities.

Vulnerability disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware.” The individual or organization that performs this act is called the Reporter. This program allows Reporters to alert the DOE to security flaws they find within the DOE’s public-facing websites. Feedback received through this program allows the DOE to fix flaws quickly when possible, thereby strengthening the integrity of the Department’s information technology systems and enhancing protection of government-owned data.

See https://www.energy.gov/vulnerability-disclosure-policy.

Responsible Disclosure Policy:

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

The details within your request form will be submitted to ResponsibleDisclosure.com (operated by an independent third party, Synack). If you have reported an issue determined to be within program scope and to be a valid security issue, ResponsibleDisclosure.com will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by ResponsibleDisclosure.com through their platform, accordingly you must accept the ResponsibleDisclosure.com terms of service if you wish to proceed. All queries are to be directed to ResponsibleDisclosure.com and managed exclusively through the ResponsibleDisclosure.com online portal.

Typical Vulnerabilities Accepted:

Typical Out of Scope:

For a full list of program scope please visit the Responsible Disclosure details page

Responsible Disclosure Guidelines: