IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York City Launches Vulnerability Disclosure Program

The city is inviting the public — especially developers and security researchers — to use a new platform to securely report potential vulnerabilities that they discover in city-owned websites and systems.

New York City is looking to encourage the developer and security researcher community to speak up about potential vulnerabilities they find that may affect city systems and websites, in what CISO Kelly Moan compared to a “see something, say something” approach to cyber.

To this aim, the city announced a new vulnerability disclosure program this week, intended to provide a clear and streamlined way to securely submit vulnerability findings.

“Generally, it shouldn’t be hard to report a potential vulnerability to city government,” Moan said.

The program was developed in partnership with testing platform Synack and provides an online submission form as well as rules of engagement and guidance. On the back end, Cyber Command receives and validates the findings, informing relevant agencies so they can remediate the issues.

The program is largely aimed at security researchers, but anyone who believes they’ve found something within scope of the program is encouraged to submit.

“You might stumble on something when navigating our sites,” Moan said.
Screenshot of a web form for vulnerability disclosures. It lists several questions or prompts, above open answer fields, including "vulnerability description," "vulnerability category" and "vulnerabilty location(s)"
Researchers are invited to report vulnerabilities they discover.

Per program rules, researchers shouldn’t ask for compensation for the discoveries or time and materials. But Moan said researchers will be credited on the website for their findings. And they’ll get to see if they discovered something genuine that helped the city prevent a potential incident.

The rules of engagement warn researchers to avoid publicly disclosing vulnerabilities before the city has fixed them as well as to avoid testing in ways that might disrupt systems or violate privacy. Moan said the city has not had issues with harmful testing and that the rules are standard in this space.

The program covers all systems “within NYC public IP space,” and all websites or web applications under or domains, plus any websites and web applications displaying a notification that they participate in the Vulnerability Disclosure Program, per the rules.

Moan said she hopes to release statistics next year about the number of findings researchers submitted and how many were remediated.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.