Introduction

Last Updated: 10/19/2023

USA TODAY Co. is committed to maintaining the security of our systems and our customer’s information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to USA TODAY Co.

If you believe you have identified a potential security issue, please share it with us by following the submission guidelines below. We thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Please note, USA TODAY Co. does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Program Overview

Program Overview

These Responsible Disclosure Program Terms of Service ("Terms") govern your participation in our Responsible Disclosure Program (RDP). By participating in the RDP, you agree to comply with these Terms, and you acknowledge and accept the responsibilities outlined herein. USA Today Co. reserves the right to update or modify these Terms at any time. It is your responsibility to review these Terms periodically for changes.


The Responsible Disclosure Program (RDP) is designed to encourage the responsible reporting of security issues found in our systems, applications, or infrastructure. Participation in the RDP does not grant you any rights or privileges beyond those explicitly outlined in these Terms.


By participating in the RDP, you agree to follow responsible and ethical disclosure practices.

Eligibility

Anyone may participate in the RDP, provided they adhere to these Terms.  Disclosure of issues to USA TODAY Co.'s systems and services must be unconditional. However, you may not participate in the RDP,

  • If your organization does not allow you to participate in these types of programs, we will not accept your findings.
  • If you are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in this program, we will not accept your findings.

Reporting

To report a security issue, please use the provided form. You agree to provide accurate and truthful information in your report.  Your report should include a detailed description of the issue, including relevant technical details and steps to reproduce it.  Below are some general best practices for submission:

  • A specific and descriptive title.
  • Description of the type of issue you’ve found and a clearly articulated impact statement.
  • Details and reproducibility are important. Supporting information and findings should include:
    • URL’s and all GET query variables and/or POST data.
    • HTTP request and response data.
    • Screenshots and/or video.
    • Clear and easily followed steps to reproduce the issue.
    • Proof-of-concept or exploit code.
    • Description of tools used.
    • Details on any special conditions that needs to be considered (presence or absence of something out of-the-ordinary).

If you wish to offer suggestions on how to mitigate the issue in question, we’d like to hear about it.

Rules of Engagement

You agree to follow responsible disclosure practices, including:

  • Not disclosing the issue to anyone other than the USA TODAY Co. Information Security Team.
  • Not exploiting for any purpose other than testing and demonstrating the issue.
  • Cooperating with the USA TODAY Co. Information Security Team to resolve the issue in a timely manner.


You are authorized to perform non-destructive and non-disruptive testing.   Interact only with your own accounts, unless explicitly authorized by USA TODAY Co.'s Information Security Team.


Illegal activity is NOT permitted on our systems or networks under any circumstances.  You must NOT engage in any malicious activities, including:

  • Do not conduct activities that may degrade, disrupt, or negatively impact services or user experience (e.g., denial of service, brute force, password spraying, spam, fuzzing, specifically unless authorized by USA TODAY Co.'s Information Security Team). This includes brute forcing our APIs.
  • Do not conduct activities with the purpose of destroying or corrupting data.
  • Do not conduct activities stemming from leaked, stolen, or disabled credentials.
  • Do not conduct physical, social engineering, phishing, or electronic attacks against USA TODAY Co. personnel, offices, wireless networks, or property.
  • Do not conduct activities related to email servers, protocols, security (e.g., SPF, DMARC, DKIM) without a working proof-of-concept (*).
  • Do not report issues that do not affect current browsers or plugins.
  • Do not report expired SSL certificates or broken links. These should be reported to USA TODAY Co.'s Customer Service team.
  • Do not report insecure SSL/TLS ciphers without a working proof-of-concept (*).
  • Do not report missing HTTP headers (e.g., lack of HSTS or CSP) without a working proof-of-concept (*).
  • Do not Clickjack without a working proof-of-concept (*).
  • Do not report issues present on sub-domains that are mapped to sites/services outside of USA TODAY Co.
  • Do not report server error messages without a working proof-of-concept (*).
  • Do not report issues related to server version strings, verification tokens and other low/no risk informational findings without a working proof-of-concept (*).
  • Do not intentional access data or information not belonging to you, beyond the minimum necessary to demonstrate the vulnerability.
  • Do not attempt to get malicious code executed by posting internal package names (or close replicas of them) in public repos.
  • Do not conduct activities originating from any country under U.S. sanction (as defined by the U.S. Treasury Department).
  • Do not conduct activities originating from any country declared as State Sponsor of Terrorism (as defined by the U.S. State Department)
  • Do not violate privacy, disrupting systems, destroying data, or harming user experience.
  • Do not send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Do not transmit or share inappropriate content or material (involving, for example, nudity, pornography, graphic violence, or criminal activity).
  • Do not engage in false or misleading activities.
  • Do not engage in activity that is harmful to you, the Program, or others (e.g., transmitting malware, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
  • Do not infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Do not help other people break our rules.
  • Do not engage in any activity that exploits, harms, or threatens to harm other people.
  • Do not access, modify, or use data belonging to others, including confidential USA TODAY Co. data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.
  • Do not engage in extortion, threats, or other tactics to elicit a response under duress. USA TODAY Co. will deny any Safe Harbor claim for vulnerability disclosure conducted under such circumstances.

(*) "Working proof-of-concept" refers to the demonstration of a novel (e.g. previously unknown) exploit to an otherwise relatively minor vulnerability that would dramatically escalate its potential to disrupt the confidentiality, integrity or availability of a target system, application, or network. Theoretical exploits don't count; we want to see source code and/or reproducible processes. Such findings should be detailed carefully and thoroughly as they will be subject to heightened scrutiny and testing.

Confidentiality

The information shared in the course of the RDP, including but not limited to issue details, communication, and any other information, must be kept confidential. You may not disclose this information to any third party without explicit permission from the USA TODAY Co. Information Security Team.

Rewards & Recognition

USA TODAY Co.'s Responsible Disclosure Program is not offering monetary rewards at this time. We value the efforts of the researcher community and appreciate their contributions. If your report leads to the successful resolution of a valid security vulnerability or issue, you may be eligible for acknowledgment or recognition as determined by the program organizer and subject to your consent. Please visit our Security Recognitions Page to see more.

USA TODAY Co. Safe Harbor Statement for Security Researchers

USA TODAY Co. will not threaten or bring any legal action against anyone who complies with the Responsible Disclosure Program Terms. This includes any claim under the DMCA for circumventing technological measures to protect the services and applications eligible under these Terms. If you have concerns regarding any specific action(s) you believe might go "out of bounds", please ask us for clarification first. So long as you comply with our Terms:

  • We consider your security research to be "authorized" under the Computer Fraud and Abuse Act (and/or similar state laws), and;
  • We waive any restrictions in our applicable Terms of Service Policies that would prohibit your participation in this program, but only for the limited purpose of your security research under these Terms, and;

Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your permission.

USA TODAY Co. systems and services may be interconnected with third-party systems and services. If you submit a report through our program that affects a third-party service, we will limit what we share with the affected third party. Be aware that, while we can authorize your research on USA TODAY Co.'s systems and services, we can neither authorize your efforts on third-party products nor guarantee a third-party won't pursue legal action against you. That said, if legal action is initiated by a third party against you because of your participation in this program, and you have complied with our Terms, we will take steps to make it known that your actions were conducted in compliance with our policies. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

1/26/2026, 2:04:18 PM