We request that you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Use only the Official Channels (below) to discuss vulnerability information with us.
• Provide us a reasonable amount of time in good faith to resolve the issue before you disclose it publicly. For details, please review or Coordinated Disclosure below.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data during security testing.
• Only test to the extent necessary to confirm a vulnerability exist in the systems identified within the scope section (below). Do not compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
• Once you’ve established that a vulnerability exists or encounter any sensitive data outlined in the sensitive data section (below), you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Keep the details of any discovered vulnerabilities confidential until they are fixed within a reasonable time, according to the Disclosure Policy.
• Do not submit a high volume of low-quality reports.

When working with us according to this policy, you can expect us to:

• Extend the Authorization below for your vulnerability research that is related to this policy;
• Work with you to understand and validate your report, including a timely initial response to the submission;
• Work to remediate discovered vulnerabilities in a timely manner; and
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Cuyahoga County will not recommend or initiate legal action related to your research.

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels in the “Reporting a vulnerability” section before going any further.

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately:

• Personally identifiable information (Social Security numbers, driver’s license numbers)
• Financial information (e.g., credit card or bank account numbers)
• Proprietary Information (trade secrets or any party)

This policy applies to the following systems and services:

• cuyahogacounty.us
• cuyahogaounty.gov
• *.cuyahogacounty.us, expect for the specific subdomains:
  • Out of Scope: boe.cuyahogacounty.gov
  • Out of Scope: cp.cuyahogacounty.us
  • Out of Scope: probate.cuyahogacounty.us
  • Out of Scope: juvenile.cuyahogacounty.us
  • Out of Scope: domestic.cuyahogacounty.us
  • Out of Scope: appeals.cuyahogacounty.us
  • Out of Scope: prosecutor.cuyahogacounty.us
  • Out of Scope: publicdefender.cuyahogacounty.us

This policy has the specific systems and services that are out of scope:

• boe.cuyahogacounty.us
• cp.cuyahogacounty.us
• probate.cuyahogacounty.us
• juvenile.cuyahogacounty.us
• domestic.cuyahogacounty.us
• appeals.cuyahogacounty.us
• prosecutor.cuyahogacounty.us
• publicdefender.cuyahogacounty.us

Scope last updated 3/21/2022

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-county systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact us at cuyahoga-county@submit.bugcrowd.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

The following test types are not authorized:

• Network denial of service (DoS or DDoS) tests
• Defacement
• Physical testing (e.g. office access, open doors, tailgating)
• Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
• Functionality bugs, clickjacking, email spoofing, etc. are considered out of scope. Our intent is to work with researchers to identify software and system vulnerabilities, not to identify low impact issues. Testers may report such issues, but they may not be handled as an issue subject to this vulnerability disclosure process.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.

We accept vulnerability reports through the following ways:

• The secured web form (preferred)
• Additional methods via our security.txt file (secured web form is preferred)
• Email cuyahoga-county@submit.bugcrowd.com (secured web form is preferred)

Reports may be submitted anonymously. All items will be acknowledged within 3 business days. The preferred method and for particularly sensitive information, we suggest submitting through our secure web form.

What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Be in English, if possible (if not we do have translation services available).

What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 3 business days, your submission will be acknowledged
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.
• Vulnerabilities in Cuyahoga County system may be relevant to other state and local governments who use similar technology. We may share your vulnerability reports with U.S. federal, state, and local government agencies and the information sharing organizations that work closely with them.
• The “Coordinated Disclosure” section below specifies our commitment to publishing vulnerabilities after reporting. We are not offering financial compensation or “bug bounties” as part of our program.

Preferred method is via our Secure HTTPS web form.

The Cuyahoga County Office of Security and Research is committed to resolving vulnerabilities in 90-120 days or less and may disclose the details of those vulnerabilities when they have been resolved. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other's mistakes.

At the same time, we believe that disclosure in absence of a readily available remediation tends to increase risk rather than reduce it, accordingly we ask that you not share your report with others during the agreed window while we work to resolve the vulnerability. If you believe there are others that should be informed of your report before it has been resolved, please let us know – we strive to work with all parties for proper disclosure.

We support coordinated disclosure that advances the security of our systems and the overall security community. Once a known vulnerability is remediated or the agreed disclosure window has passed, we may coordinate a public advisory with you. Before you release any information related to the vulnerability please contact us to ensure you are not releasing sensitive information. Thanks for supporting this innovative and important program to help secure Cuyahoga County systems.

Under Ohio’s public records law we may be required to release records related to your research and disclosure. If you wish to remain anonymous you may use a pseudonym and contact Cuyahoga County with a "throw-away" email account.