Purpose

Fairfax County Public Schools (FCPS) is committed to ensuring the security of its students and staff by safeguarding their digital information. This Vulnerability Disclosure Program (VDP) requires researchers to conduct good-faith vulnerability discovery activities directed at public-facing, internet-accessible FCPS websites and services. This VDP also instructs researchers to submit discovered vulnerabilities to the FCPS IT Security Office (FCPS ITSO), which is within the Office of the Chief Information Technology Officer.

Scope and Authorized Activities

This program applies to all public-facing, internet-accessible FCPS systems and services, including the registered domain names FCPS.edu and fcpsschools.net. If a researcher is unsure whether a system is in scope, contact FCPS ITSO at [email protected] before starting any research activity.

FCPS does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity, to engage in any security research or vulnerability or threat disclosure activity on or affecting FCPS systems that is inconsistent with this program or the law. You may be subject to criminal and civil liabilities if you engage in activities inconsistent with this program or other applicable laws.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-FCPS entity (e.g., federal departments or agencies; state, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), those third parties may independently determine whether to pursue legal action or remedies related to such activities.

If a researcher complies with this program when conducting vulnerability discovery activities, FCPS will consider those activities authorized.

Definitions

• Vulnerabilities : Weaknesses in systems and services that attackers could exploit.
• Zero-day vulnerability : A vulnerability unknown to the software vendor or developer, lacking an official patch.
• Public-facing : Accessible to the general public.
• Good faith : Honesty or lawfulness of purpose.
• Proof-of-concept : Demonstration of how a vulnerability can be exploited.
• Researchers : The cybersecurity research community and members of the general public

Program

FCPS recognizes that the cybersecurity research community regularly makes valuable contributions to the cybersecurity of individual organizations and the broader Internet and that fostering a positive relationship with this community can help improve FCPS’s security.

Vulnerabilities submitted to FCPS ITSO under this program will be used to mitigate or remediate vulnerabilities in our networks and services or those of our vendors.

Researchers must review, understand, and abide by the following terms and conditions before conducting any research on FCPS networks and submitting a report. 

General Requirements

To be considered authorized activities under this program, researchers must abide by the following requirements:

• Fairfax County Public Schools staff and students should refer to the Acceptable Use Policy for guidance on vulnerability research. Staff and students are expected to adhere to the terms of the Acceptable Use Policy, which prohibits actions that may violate its requirements. This VDP does not grant authorization to bypass or circumvent the Acceptable Use Policy.
• Research activity may only be conducted against in-scope assets. If a researcher is unsure whether a system is in scope, contact FCPS ITSO at [email protected] before starting any research activity.
• Research activity is explicitly prohibited on any FCPS-provided network, including, but not limited to, wired Ethernet and wireless networks.
• Notify FCPS ITSO using the vulnerability submission process in the Reporting a Vulnerability section within 72 hours of discovering any real or potential security vulnerabilities.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only conduct research activities to the extent necessary to confirm a vulnerability’s presence.
  • Do not use any exploit to compromise or exfiltrate data, open, take, or delete data or files, establish command line access and persistence, or pivot to other systems.
  • Do not escalate privileges or attempt to move laterally within the network.
  • Do not disrupt access to FCPS services or introduce any malware.
• Only publicly disclose reported vulnerabilities with prior written approval from FCPS ITSO.
• Follow the submission process in the Reporting a Vulnerability section , and do not submit a high volume of incorrect or incomplete reports.

• Once a researcher establishes that a vulnerability exists or encounters any sensitive data (including personally identifiable information, protected health information, financial information, or the proprietary information or trade secrets of any party), they must stop all research activity, notify FCPS ITSO immediately through the vulnerability submission process in the Reporting a Vulnerability section , and not disclose this data to anyone else.

Research Methods

• FCPS ITSO will deal in good faith with researchers who discover and submit vulnerabilities or indicators of vulnerabilities per the following requirements:

• Research activities are limited exclusively to:
  • Research to detect a vulnerability or identify an indicator related to a vulnerability.
  • Sharing or receiving information from FCPS ITSO about a vulnerability or an indicator related to a vulnerability.
• Researchers may not harm any FCPS system or data on an FCPS system or exploit any potential vulnerabilities beyond the minimal activity required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• Researchers must not establish command-line access and persistence, pivot to other systems, escalate privileges, attempt to move laterally within the network, disrupt access to FCPS services, or introduce malware.
• Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any FCPS information system – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
• Researchers must not intentionally exfiltrate or copy FCPS data or open, take, or delete files. Should researchers obtain FCPS data during their research, they must coordinate with FCPS ITSO to ensure that data is appropriately destroyed upon confirmation that the vulnerability is remediated.
• Researchers may not intentionally compromise the privacy or safety of FCPS students, staff, or any third parties.
• Researchers may not intentionally compromise the intellectual property or other commercial or financial interests of any FCPS personnel, entities, or third parties through their research.
• Researchers may not publicly disclose any details of the vulnerability, an indicator of vulnerability, or the content of information rendered available by a vulnerability until that vulnerability is remediated and they receive explicit written authorization from FCPS ITSO.
• Researchers may not conduct denial-of-service (DoS or DDoS) or other activities that impair access to or damage a system or data.
• Researchers may not conduct physical or social engineering activities against FCPS students, staff, or contractors, including spear phishing.
• Researchers may not intentionally submit a high volume of low-quality, unsubstantiated, or false-positive reports.
• If researchers are uncertain whether to continue research activity, they must contact FCPS ITSO at [email protected] before conducting any further activities.

Reporting a Vulnerability

If a vulnerability is discovered, researchers must provide a detailed summary of the vulnerability, including the following:

• Description of the vulnerability and its potential impact
• Product, version, and configuration of any software or hardware potentially impacted
• Step-by-step instructions to reproduce the issue
• Proof-of-concept
• Suggested mitigation or remediation actions, as appropriate

FCPS ITSO will accept vulnerability disclosure reports by email at [email protected] . When submitting sensitive material, FCPS ITSO requires the encryption of the data.

By submitting a report or communicating with FCPS ITSO at [email protected] , FCPS ITSO will presume that the submitter reads, understands, and agrees to the requirements described in this program and consents to having any subsequent communications with FCPS stored on the FCPS information system. Personal data submitted in a vulnerability disclosure report will not be retained by FCPS ITSO, other than contact information that will only be retained to coordinate with the researcher.

If a researcher discovers a zero-day or any new vulnerability that may affect all users of a product or service and not solely FCPS, FCPS ITSO may share a vulnerability disclosure report with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), where it will be handled under their  coordinated vulnerability disclosure process . We will not share your name or contact information without your express permission.

What To Expect From FCPS

FCPS ITSO will take every disclosure report seriously and, to the extent it deems appropriate, investigate every report to validate the vulnerability, prioritize the risk, and ensure that proper steps are taken to mitigate and remediate reported vulnerabilities.

FCPS ITSO remains committed to coordinating with the security research community as openly and quickly as possible. This includes:

• Acknowledging receipt of each vulnerability report within three business days. FCPS ITSO will investigate each report and may contact the researcher for further information.
• Confirming the existence of the vulnerability to the researcher to the best of our ability and informing the researcher of any issues or challenges that may delay resolution. If necessary, FCPS ITSO may coordinate with the researcher for additional information as we work to remediate a vulnerability. 
• Maintaining an open dialogue with individual researchers to discuss issues.
• If researchers conduct vulnerability disclosure activities per the restrictions and requirements outlined in this program, FCPS ITSO will not initiate or recommend any law enforcement or civil actions related to such activities, and in the event of any law enforcement or civil action brought in connection with research activities, FCPS ITSO will take steps to make known that your activities were conducted according to and in compliance with this program.

Program Review and Update

FCPS may modify the terms or terminate this program at any time.

This program will be reviewed and updated annually to ensure alignment with the latest cybersecurity developments and organizational needs.

In addition to the annual review, this program will be subject to emergency updates in response to critical security incidents or vulnerabilities. The IT Security Office is authorized to make immediate changes to the program as necessary to address emerging threats. Any emergency updates will be incorporated into the program document.