Vulnerability Disclosure Program

This page is intended to give security researchers clear guidelines for submitting discovered vulnerabilities to Leidos.

Maintaining the security of our networks is a high priority at Leidos. If you are a security researcher and have information about a vulnerability in a Leidos website, product or application, we want to hear from you. Information submitted to Leidos under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications.

	Please note, Leidos does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Guidelines

Leidos will deal in good faith with researchers who discover and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines.

• Your activities are limited exclusively to –
  • (1) Scanning to detect a vulnerability or identify an indicator related to a vulnerability; or 
  • (2) Sharing with, or receiving from, Leidos information about a vulnerability or an indicator related to a vulnerability. 
• You do no harm and do not exploit any vulnerability beyond the minimal amount of verification required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Leidos information system(s). 
• You do not exfiltrate any data under any circumstances. 
• You do not intentionally compromise the privacy or safety of Leidos, or any third parties.
• You do not intentionally compromise the intellectual property or other commercial or financial interests of any Leidos personnel or entities, or any third parties.
• You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability.
• You do not conduct denial of service testing.
• You do not conduct social engineering, including spear phishing, of Leidos personnel or contractors.
• You do not submit a high-volume of low-quality findings.
• If at any point you are uncertain whether to continue your research, please engage with our team.
• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) Leidos data, assets or systems reside, (ii) Leidos data traffic is routed or (iii) the researcher is conducting research activity.
• Do not store, share, compromise or destroy Leidos or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity and contact Leidos.
• Do not initiate a fraudulent financial transaction.
• Submissions will be ignored if:
  • Attacks are based on "social engineering" by employees or dealers
  • Phishing attempts are used.
  • Common vulnerabilities found by an automated scanner.
  • CSP vulnerabilities; SSL/TLS best practices
  • Denial-of-service attacks on servers and websites
  • Non-reproducible vulnerabilities
  • Resource Exhaustion Attacks
  • Clickjacking on pages with no sensitive actions

Please note that this should not be construed as encouragement or permission to perform any of the following activities:

• Hack, penetrate, or otherwise attempt to gain unauthorized access to Leidos applications, systems, or data in violation of applicable law;
• Download, copy, disclose or use any proprietary or confidential Leidos data, including customer data; and
• Adversely impact Leidos or the operation of Leidos applications or systems.

Leidos reserves all rights or claims with respect to such activities.

Disclosure

This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

What you can expect from us

We take every disclosure seriously and appreciate all the time and effort that security researchers put into detecting these flaws. Leidos is committed to coordinating with the researcher as openly and quickly as possible. This includes:

• Within three business days, we will acknowledge receipt of your report.
• Leidos' security team will investigate the report and may contact you for further information.
• To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.

Legal

You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

Leidos does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Leidos entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Leidos third party may independently determine whether to pursue legal action or remedies related to such activities.

Leidos may modify the terms of this policy or terminate the policy at any time.