The Office of the Minnesota Secretary of State believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between the Office and Security Researchers. Together, our partnership promotes the continued security and privacy of the Office of the Minnesota Secretary of State's users, systems, and data.
The Office of the Minnesota Secretary of State accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, public and private customers, and consultants. The Office of the Minnesota Secretary of State defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our services.
At the current time, only the following domains are covered by this this policy and are in scope for the vulnerability disclosure program:
Please check back frequently as the scope will be expanded over time.
The following types of tests and reports are considered out of scope for this program:
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and the Office of the Minnesota Secretary of State will not recommend or pursue legal action related to your research.
Outside of this authorization granted to you against in scope assets, you must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
The Office of the Minnesota Secretary of State does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Minnesota Secretary of State entity (e.g. other State of Minnesota or federal departments or agencies; local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Minnesota Secretary of State third party may independently determine whether to pursue legal action or remedies related to such activities. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
The Office of the Minnesota Secretary of State recommends that security researchers share the details of any suspected vulnerabilities across any in scope asset using the web form below which will submit the report to the agency's vulnerability program hosted and managed by BugCrowd. The Office of the Minnesota Secretary of State's security team will acknowledge receipt of each vulnerability report within 7 business days, conduct a thorough investigation, and then take appropriate action for resolution. The Office of the Minnesota Secretary of State strives to remediate any in-scope leverageable vulnerability within 120 days. Researchers may disclose remediated vulnerabilities once given the go-ahead by the Office of the Minnesota Secretary of State or after 120 days (whichever comes first). Any violation of this timeline will be considered a breach of this policy and its protections. If you have any questions or comments about this program, contact us at vdp.oss@state.mn.us