The Federal Energy Regulatory Commission (FERC) is committed to ensuring the security of the American public by protecting their information. As such, the FERC has created a Vulnerability Disclosure Policy. Vulnerability Disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware.”  The individual or organization that performs this act is called the researcher.  The FERC Vulnerability Disclosure Policy is intended to give security researchers clear guidelines on the following:

  • Conducting vulnerability discovery activities on FERC systems;
  • What systems and types of research are covered under this policy;
  • What researchers can expect from the Commission;
  • What the Commission expects from researchers, including how long researchers should wait before publicly disclosing vulnerabilities;
  • Steps for disclosing vulnerabilities to the Commission, and how to send the vulnerability reports;

The FERC encourages researchers to contact the Commission to report potential vulnerabilities in the FERC systems. This program allows researchers to alert FERC on security flaws they identify within the FERC public-facing websites.  Feedback received through this program allows the FERC to remediate flaws quickly when possible, thereby, strengthening the integrity of the organization information technology systems and enhancing protection of government-owned data.

Access full Policy here

This page was last updated on March 04, 2021