Vulnerability Disclosure Policy

1.0 Vulnerability Disclosure Overview

The MBTA is committed to safeguarding our information assets through the continued growth of our information security program. We believe close partnerships with security researchers help support the MBTA in its mission to provide safe and reliable transportation. Researchers play an integral role in our security ecosystem by discovering vulnerabilities, which if exploited, could negatively impact the MBTA and our customers.

This document provides a process for reporting vulnerabilities and working with MBTA security staff. This process is designed to provide the MBTA with the opportunity to remediate findings, in a collaborative manner, with security researchers.

The MBTA:

• Will treat researchers with respect as they collaborate on the potential vulnerability.
• Will provide public acknowledgment of the discovered vulnerability once safeguards are established.
• Will respect Safe Harbor industry guidelines.

The MBTA is committed to protect and maintain all networks, systems, and information assets. This includes sensitive information assets such as staff or customer data, personally identifiable information, and personal health information from unwarranted disclosure.

We apply the proper security controls, as guided by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5 Framework “Security and Privacy Controls for Information Systems and Organizations.” For further details and for how to submit a report, please click here.

2.0 Purpose

This document establishes the Vulnerability Disclosure Protection Process for establishing and maintaining a Security Vulnerability Disclosure Program capability for the MBTA’s information systems, networks, and information assets. This document provides guidance to MBTA Users and researchers to meet requirements aligned with the MBTA’s responsibilities.

3.0 Scope

In addition to establishing processes, this policy covers researchers which may be individuals or organizations seeking to disclose potential vulnerabilities to the MBTA. Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-MBTA systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Although this Policy addresses user responsibilities, it does not cover the matter exclusively. Other MBTA Information Security policies, standards, guidelines, and procedures define additional responsibilities. All Users must comply with the Information Security policies, standards, guidelines, and procedures.

4.0 Vulnerability Disclosure Program

4.1 MBTA "Safe Harbor" Pledge

The MBTA will not initiate legal action against security researchers or members of the public provided they adhere to this policy and documented processes. In addition, participants must comply with all applicable Federal and State laws and regulations in connection with their research activities.

4.2 MBTA Reporting Guidelines

The MBTA requests the following information:

• 4.2.1 Well-written reports in English will have a higher chance of being accepted.
• 4.2.2 Reports that include proof of concept code are more likely to be accepted. we take disclosure of sensitive data, including PII, PHI, and intellectual property seriously. All laws and regulations will apply to the disclosure of sensitive MBTA data. Researchers should immediately contact and work with the MBTA to handle sensitive information assets in an appropriate manner.
• 4.2.3 Reports should avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• 4.2.4 Include how you found the bug, the impact, and any potential remediation.
• 4.2.5 Any plans for public disclosure.
• 4.2.6 All reports must be submitted to ResponsibleDisclosure@mbta.com.

4.3 MBTA Response

The MBTA has a Vulnerability Management Team (VMT), under the direction of the Chief Information Security Officer. The VMT will provide researchers with:

• 4.3.1 A method to provide information easily and securely about a vulnerability via MBTA.com.
• 4.3.2 Refer all reports to the VMT for review and engagement with researchers.  
• 4.3.3 Provide a timely response to researcher submissions (within 5 Business days).  
• 4.3.4 Maintain communications with researchers and provide notification when the vulnerability analysis has completed each stage of our review.
• 4.3.5 The VMT will maintain an open and professional dialog with researchers as we work through vulnerability assessment and remediation steps.  
• 4.3.6 To the best of their ability, the VMT will confirm the existence of the vulnerability to researchers and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.  
• 4.3.7 The VMT, under the direction of the Chief Information Security Officer (CISO), will coordinate with MBTA’s Chief of Staff and the Communications, Customer and Employee Experience, and Customer Technology Divisions responsible for communication with the MBTA’s Board of Directors, and researchers, and for the public disclosure of the vulnerability. The nature of this outreach may include but will not be limited to press releases, media briefings, social media app and web updates, among other channels and strategies. The VMT will work to ensure proper credit to researchers after the vulnerability has been validated and fixed.  

4.4 Termination of Testing

If researchers encounter any of the following in MBTA systems while testing within the scope of this policy, they must immediately halt all testing activities and notify the MBTA. We take disclosure of sensitive data very seriously. All laws and regulations will apply to the disclosure of sensitive MBTA data. Researchers should immediately contact and work with the MBTA to handle sensitive information assets in an appropriate manner. Examples include:

• 4.4.1 Personal Identifiable Information (PII) includes, but is not limited to, information such as social security number, financial account information, or other unique identifiers.
• 4.4.2 Protected Health Information (PHI) as delineated in the HIPAA Privacy Rule.
• 4.4.3 Any proprietary information or trade secrets of the MBTA.

4.5 Coordination for Public Disclosure

As part of the “Safe Harbor” agreement, the Security Researcher agrees to share their intended public disclosure with the MBTA ten (10) days prior to its release so that the MBTA may review and prepare any inquiries that may arise from the release of such information.

4.6 Unauthorized Research Types

Due to safety concerns, the following testing is prohibited and must be coordinated with the MBTA if necessary to demonstrate a potential vulnerability:

• 4.6.1 Physical testing (e.g., office access, open doors, tailgating: social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.
• 4.6.2 Brute force attacks against login interfaces.
• 4.6.3 Defacing or altering public facing MBTA systems including, but not limited to digital information kiosks, schedules, or other real-time displays.
• 4.6.4 Network denial of service (DoS or DDoS) tests.
• 4.6.5 Any attack vector which poses a probable threat of injury or death.

4.7 Vulnerability Disclosure Protection Capability and Report Acceptance

MBTA may request researchers use certain tools to facilitate ease and security of vulnerability reporting. Reporting mechanisms and ongoing communications should be secure and limit unauthorized access to sensitive, non-public vulnerability information or sensitive data. Any discovery of sensitive data should follow the guidelines in Section 4.4 and with coordination with the MBTA Vulnerability Management Team.