US Announces Bug Bounty for Federal Digital Service Agency
The General Services Administration (GSA) in the United States has announced a bug bounty program for the Technology Transformation Service (TTS), which includes the government’s digital service agency, 18F.
18F helps federal agencies build, buy, and share modern digital services to improve the user experience of government. It has worked with more than 50 offices and agencies on more than 200 engagements.
This is the first public bug bounty program run by a civilian agency. It follows the release of a TTS vulnerability disclosure policy in November, which outlines how researchers can report system vulnerabilities, while keeping personal and financial information safe.
The program will include several TTS public-facing web applications, with payouts ranging from $300-$5,000.
“Following the three successful Department of Defense challenges with the Pentagon, Army and Air Force, 18F represents the movement to more deeply embed hacker-powered security across government infrastructure,” a HackerOne spokesperson said via email. “Even the most advanced security ecosystem needs the support and contributions of the global hacker community to help ensure the safety of sensitive and private data. On the flip side, 18F and the Department of Defense are also opening opportunities for hackers to serve our country by reporting bugs as acts of patriotism. Protecting the nation is a collective effort of all service men and women, and now hackers.”
Upon receipt of a bug report, HackerOne will triage submissions first, determining both the validity and severity of the reported bug. Valid bugs will be sent to TTS and the appropriate team in charge of the web application will correct the issue.
“With bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own,” 18F said in a statement. “With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications.”
Source: Information Security Magazine