Vulnerability Disclosure Program

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​The State of Maryland is committed to maintaining the security and integrity of our digital infrastructure. To that end, we have established a statewide Vulnerability Disclosure Program (VDP) to enhance our ability to detect, remediate, and mitigate cybersecurity vulnerabilities in a coordinated and secure manner.

A VDP provides a formal method for security researchers to report vulnerabilities in good faith, enabling organizations to address them before malicious exploitation occurs. A VDP will facilitate the State’s awareness of otherwise unknown vulnerabilities, is an essential element of an effective enterprise vulnerability management program, and is critical to the security of internet-accessible State information systems.

This program will provide a secure and legal channel for security researchers to report potential vulnerabilities in State systems ("see something, say something"). A coordinated VDP enhances the State's ability to identify and remediate vulnerabilities before malicious actors can exploit them, augmenting existing vulnerability management efforts and protecting State data and services. Accordingly, the establishment and participation in a VDP are critical components of effective enterprise vulnerability management.​

Report a​​ Vulnerability

Scope

This Vulnerability Disclosure Program (VDP) applies to systems and services that are publicly accessible and either:

  • Use state-managed domain names like *.maryland.gov, *.md.gov, or *.state.md.us; or,
  • Are connected to the state’s secure government network, networkMarylandTM.

This includes:

  • State agencies and departments within the Executive Branch,
  • Local governments, commissions, and public entities across Maryland,
  • And certain eligible non-state organizations that use state IT infrastructure or domains.

Scope information is also maintained in the official Maryland VDP briefing hosted by Bugcrowd.

For questions or clarification about this program and its scope, please contact us at [email protected].

Rules of Engagement

Security Researchers Shall

  • Cease testing and notify us immediately upon discovery of a vulnerability.
  • Cease testing and notify us immediately upon exposure or access of nonpublic or sensitive data.
  • Purge any stored State of Maryland nonpublic data after reporting a vulnerability.
  • Limit system and application access and data viewing to only what is strictly necessary to confirm the presence of a vulnerability.
  • Not retain, alter, destroy, render inaccessible, or share any data encountered during testing.

Unauthorized Activity

To protect systems, users, and data, the following are strictly prohibited:

Harmful or Disruptive Behavior

  • Do not conduct activity that could be reasonably expected to degrade, disrupt, or damage State services.
  • This includes, but is not limited to: Denial of Service (DoS/DDoS), mass automated testing, rate limit abuse, email bombing, or service degradation testing.

Social Engineering and Deception

  • Do not use any social engineering tactics such as phishing, smishing, pretexting, or impersonation.
  • Do not interact with or attempt to deceive State of Maryland employees or users.

Unauthorized Access Methods

  • Do not attempt to gain physical access to or otherwise test State of Maryland buildings or facilities.
  • Do not use attacker-in-the-middle (AITM) methods or network sniffing.

Password and Credential Attacks

  • Do not perform brute force attacks, credential stuffing, password spraying, or repeated login attempts against other users' accounts.
  • Do not use credentials obtained from third-party breaches or public leaks—even if publicly available. See "Leaked or Exposed Credentials" below.
  • If you encounter exposed or leaked credentials, please report them as described in the Leaked or Exposed Credentials section.

Unsafe Changes or Interference

  • Do not modify or delete data in accounts or systems you do not own.
  • Do not intentionally alter system states, configurations, or files beyond what’s necessary to confirm the presence of a vulnerability. Do not intentionally weaken the security of an asset being tested.
  • Do not install persistent access mechanisms such as backdoors or shells.
  • Do not attempt to "pivot" to additional State of Maryland assets or further exploit an asset after confirming the presence of a vulnerability.

Excluded Submission Types

We will not accept reports for:

  • P5 vulnerabilities​ unless they are part of a chained exploit that demonstrates real-world impact
  • Policy violations without an accompanying technical vulnerability
  • ​ Issues with no clear, demonstrable risk

N-day / Third-party 0-day Practice

We recognize that the security research community is often among the first to identify and validate newly disclosed N-Day vulnerabilities. These contributions are valuable and encouraged under this program.

We do not impose an embargo period on N-Day submissions. Researchers may submit relevant findings as soon as public disclosure occurs.

However, in the case of large-scale or high-impact N-Day vulnerabilities (e.g., Log4Shell, ProxyShell, MOVEit), we may expand our triage window and require more rigorous evidence. Submissions must demonstrate real, actionable impact, not just version fingerprinting or automated scan results.

Acceptable evidence may include:

  • Proof-of-concept (PoC) exploit demonstrating the vulnerability in action
  • Access to sensitive functionality or data as a result of the issue
  • Authenticated or verifiable server responses that confirm exploitability
  • Screenshots or logs confirming unintended behavior

Vulnerabilities in third-party systems not managed by the State of Maryland should be reported directly to the vendor, in accordance with their own disclosure policies.

Leaked or Exposed Credentials

If you discover exposed credentials—whether through dark web sources, public leaks, or within testing—you are encouraged to report them.

Do not use or attempt to authenticate with credentials that are not yours. Simply report their presence and context.

Report a​​ Vulnerability

Acknowledgment of Reports

We value the efforts of the security research community. All validated vulnerability submissions​ will be acknowledged, through Bugcrowd, within two business days of receipt.

The vulnerability submission form automatically enters your report into Bugcrowd’s platform, which is used to triage and track all validated vulnerability submissions.

We appreciate your patience while we review and triage your report and coordinate any required remediation efforts.

Disclosure Guidelines

The State of Maryland uses a Coordinated Disclosure Process.

No vulnerability may be publicly disclosed until:

  • It has been validated by the program team,
  • Resolved or mitigated by the appropriate Entity, and
  • You have received explicit written approval from the Maryland VDP team.

There is no automatic release date. The program team will decide if, when, and what information may be shared.

Unauthorized disclosure may result in removal from the program and potential legal action.

Proof‑of‑concept material must not be posted to public platforms. Share large files using the Bugcrowd platform. If a secure transfer alternative is needed, request one in the Bugcrowd platform and we’ll provide instructions.

This policy overrides any disclosure terms in a vendor‑hosted platform.

Early public disclosure may put the public or systems at risk. Responsible communication ensures vulnerabilities are addressed safely and effectively. If you believe an exception is warranted, contact us at [email protected] to discuss before disclosure.

What to Expect After Submitting a Report

  1. Acknowledgement: We will acknowledge receipt of your report within the Bugcrowd platform within 2 business days.
  2. Triage and Validation: The Maryland Department of Information Technology’s (DoIT’s) Office of Security Management (OSM) will validate the report and determine the severity rating of the vulnerability.
  3. Coordination: Affected Entities will coordinate remediation with our office and provide necessary risk assessment details.
  4. Remediation Timeline: Entities are expected to resolve validated vulnerabilities according to timelines appropriate to their severity. When remediation is not feasible, the Entity must formally seek risk acceptance.
  5. Confirmation: Once the issue is addressed, we will validate the remediation and notify the original requestor.

Safe Harbor for Security Researchers

Maryland recognizes the importance of external security researchers in identifying and reporting vulnerabilities that could impact our systems, constituents, and data. We are committed to working with the security community to strengthen our defenses and appreciate responsible disclosures made in good faith. As such, the VDP will include a Safe Harbor for external security researchers who act in good faith.

All research under this VDP must be conducted in good faith. "Good faith” means security research conducted with the intent to follow the VDP without any malicious motive and solely for the purpose of testing or investigating a security flaw or vulnerability and disclosing those findings in alignment with the VDP. The security researcher’s actions should be consistent with an attempt to improve security and to avoid doing harm, either by unwarranted invasions of privacy or causing damage to property.

If DoIT and OSM determine that research is conducted in good faith, it will consider that security research to be authorized, will work with the external security researcher(s) to understand and resolve reports quickly, and will not recommend legal action related to the security research.

Should legal action be initiated by a third party against the security researcher for research conducted in accordance with the VDP, DoIT and OSM will make this authorization known. External security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in the VDP.

​ By participating in our VDP, external security researchers acknowledge and agree to the VDP’s terms. If there are questions about the scope or interpretation of this Safe Harbor, we encourage external security researchers to seek clarification before conducting testing.

Questions?

Many common questions are answered in our Frequently Asked Questions (FAQ​).

For questions or clarification about this program, including scope or safe harbor details, please contact us at [email protected].

No Compensation Clause

This Vulnerability Disclosure Program does not offer financial rewards or compensation for vulnerability submissions. The program is intended to facilitate responsible disclosure and improve state cybersec​urity, and participation is voluntary. Recognition may be offered at our discretion, but submission does not imply entitlement to any reward or acknowledgment.

Need to report a Cybersecurity Incident Instead?

If you need to report a security incident, for example an intrusion, breach or outage, please access the Maryland Cyber Incident Reporting System.

Report a Vulnerability

If you believe you have discovered a vulnerability in a system covered by this program, please submit your report using the following submission form:​
​​

Department ofInformation Technology
​​​​100 Community Place, Crownsville, MD 21032

300-301 West Preston Street, Baltimore MD 21201

Phone: 410-697-9700
Maryland Relay: 7-1-1​