Policies
Accessibility statement
We design our web pages to meet or exceed the Section 508 standards, which are the technical requirements that ensure we’re complying with federal Section 508 law. We also conform to the World Wide Web Consortium (W3C) and their industry standard Web Content Accessibility Guidelines (WCAG) 2.1. We meet Level AA standards, which means our content is accessible to most people in most circumstances. We continually modify our websites to ensure the information, features and content are accessible to persons with disabilities.
Available complaint process
If you experience difficulty accessing any resources or content on this site, please contact us at info@coldcaserecords.gov and include:
- The nature of your accessibility problem
- The URL of the page the inaccessible content was found on
- The preferred format in which you want to receive any materials
- Your contact information (email, phone or address)
We will work diligently to provide you with accessible content that addresses your issues.
Use of the telecommunications relay service
Telecommunications Relay Services (TRS) allow persons who are deaf, hard of hearing, deafblind, or have speech disabilities to communicate by telephone in a manner that is functionally equivalent to telephone services used by persons without such disabilities.
Accessibility aids: plug-ins and file viewers
Links to applets, plug-ins, or other applications required to access content provided on our web pages are available and linked below. Most of these links are to non-government sources. We do not endorse any of these products; they are provided for your convenience. Address questions about a particular plug-in or file viewer to the respective vendor.
- Adobe Acrobat: Use Adobe Acrobat to read Portable Document Format (PDF) files.
- Microsoft Word: Microsoft offers Doc Viewer and other converter programs to enable those who do not have Word to open and view Word files.
- Microsoft Excel: Microsoft offers XLS Viewer Free to enable those who do not have Excel to view Excel files.
- Microsoft PowerPoint: Microsoft offers PPTX Viewer to enable those who do not have PowerPoint to view PowerPoint files.
- WinZip: Zip files are single files, sometimes called “archives,” that contain one or more compressed files. Files with this extension (.zip) require WinZip to open and extract them.
Freedom of Information Act (FOIA)
The Freedom of Information Act (FOIA) provides the public the right to request access to records from any federal government agency. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions, which protect interests such as personal privacy, national security, and law enforcement.
Individuals wishing to file a request for records under the FOIA should email their request to info@coldcaserecords.gov or mail it to the Civil Rights Cold Case Records Review Board, 1800 F Street, NW, Washington, DC 20405. The email subject line or the letter/envelope should include the words “FOIA Request.”
FOIA requests should include the following:
- A description of the records sought with enough detail to enable Review Board staff to locate them with a reasonable effort. To the extent possible, you should include specific information such as the subject matter, date, title or name, author, and/or recipient of the desired records.
- The requester’s name, mailing address, and email address.
- The requester’s agreement to pay all applicable fees.
Equal employment
The Civil Rights Cold Case Records Review Board (the Review Board) complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, sexual orientation, sex or gender. The Review Board does not exclude people or treat them differently because of race, color, national origin, age, disability, sexual orientation, sex or gender.
External links
This website contains links to other websites created and maintained by other public and private organizations. Please be aware that we do not control or guarantee the accuracy and completeness of this information. Linking to these sites is not an endorsement of the site sponsors, any views expressed, or the information and products presented.
These third-party websites have their own privacy, security, and accessibility policies. Once you link to another site, you are subject to the policies of that site. We encourage you to read the privacy and information security policies of any website you link to from ours, especially if you share any personal information.
Privacy policy
The Civil Rights Cold Case Records Review Board does not collect any personal information about you when you visit our website unless you choose to provide that information. The only information that the Review Board automatically collects is each website visitor’s Internet domain and IP address, the type of browser and operating system used to access the site, the pages visited and time spent on each page, and the date and time of the visit. If you send an email to the Review Board through this website, the personal information you provide will be used only to respond to your message. We will not disclose or share this personal information outside of the Review Board without your explicit permission.
The Privacy Act, 5 U.S.C. Section 552a, passed by Congress in 1974, establishes certain controls over what personal information is collected by the federal government and how it is used. The act guarantees three primary rights: (1) the right to see records about oneself, subject to the Privacy Act’s exemptions; (2) the right to amend that record if it is inaccurate, irrelevant, untimely or incomplete; and (3) the right to sue the government for violations of the statute, including permitting others to see your records, unless specifically permitted by the act.
Vulnerability disclosure policy
The Civil Rights Cold Case Records Review Board (“the Review Board”) takes seriously our responsibility to protect the public’s information, including financial and personal information, from unwarranted disclosure.
Security researchers should feel comfortable reporting vulnerabilities discovered, as defined in this policy, to afford the Review Board the opportunity to remediate the findings for the purpose of ensuring confidentiality, so we can fix them and keep our information safe.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
Scope
Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).
The following test types are not authorized:
- User interface bugs or typos.
- Network denial of service (DoS or DDoS) tests.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Brute Force Attacks against login interfaces.
If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us at info@coldcaserecords.gov immediately. Disclosure of the following may not be made to any third party:
- Personally identifiable information (PII).
- Financial information (e.g. credit card or bank account numbers).
- Proprietary information or trade secrets of companies of any party.
Guidelines
Security researchers shall:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems. Once you’ve established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must stop your test and notify us immediately.
- Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified the Review Board. For details, please review Coordinated Disclosure.
The Review Board is committed to acknowledging receipt of the report within 5 business days.
Legal
You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
The Review Board does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Review Board entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Review Board third party may independently determine whether to pursue legal action or remedies related to such activities.
If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) The Review Board will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than the Review Board, then the Review Board will communicate as appropriate, in the absence of any legal restriction on the Review Board’s ability to so communicate, that your activities were conducted pursuant to and in compliance with this policy.
Reporting a vulnerability
You can email vulnerability reports to info@coldcaserecords.gov.
Note: We do not support PGP-encrypted emails. Do not share sensitive information through email. If you believe it is necessary to share sensitive information with us, please indicate as such on the report and the Review Board will reach out to establish a more secure method.
Reports should include:
- Description of the location and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials we would need to reproduce the issue.
Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with US-CERT, as well as any affected vendors or open source projects.
Coordinated disclosure
The Review Board is committed to patching vulnerabilities within 90 days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.
At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we request that you refrain from sharing your report with others while we work on our patch. If you believe there are others that should be informed of your report before the patch is available, please let us know so we can make arrangements.
We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose if you prefer. By default, we prefer to disclose everything, but we will never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.