The General Services Administration will be the first federal civilian agency to engage in a bug bounty program.
On May 9, GSA’s Technology Transformation Service and digital team 18F awarded HackerOne to be the agency’s “Software-as-a-Service bug-reporting platform,” which will reward independent researchers for their discovery of public-facing web vulnerabilities while giving the agency time to fix them before they’re made public, according an 18F blog post.
The Defense Department and several military services have initiated bug bounties in the past two years, but GSA is the first to engage in the trend on the civilian side. HackerOne was the platform for both.
“The TTS Bug Bounty will be a security initiative to pay people for identifying bugs and security holes in software operated by the General Service Administration’s Technology Transformation Service (TTS), which includes 18F,” the post says.
The 18F team has been putting the building blocks in place over the past year to launch a bug bounty. In November, the team introduced a vulnerability disclosure policy, an integral part of a bug bounty program. Then earlier this year, TTS issued a draft solicitation through an open source GitHub project looking for potential experienced vendors to help it establish its own bug bounty program.
The process is quite simple, 18F explains:
“Upon receipt of a bug report, HackerOne will triage submissions first, determining both the validity and severity of the reported bug. Valid bugs will be sent to TTS and the appropriate team in charge of the web application will correct the issue. Anyone from a high school student with an interest in coding to a major security research firm with hundreds of employees can look for bugs and, if successful in their hunt, obtain a payout ranging from $300 to $5,000.”
With the results TTS and 18F receive in the early going, “we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications,” the team says.
HackerOne, the company chosen to operate TTS’s bug bounty, spoke with FedScoop in February after the agency issued its draft solicitation, commenting on the trend in federal bug bounties.
“They are kind of pioneering and breaking new ground with doing it through this federal contracting process,” HackerOne CTO Alex Rice said. “And the lessons learned from 18F and the DOD doing this are making these programs accessible to every government agency out there. So I think we’ll see a fast follow with others reusing their work and leveraging the existing benefits there, particularly with the overhead associated with procurement in the federal government, the cost savings of crowdsourced security versus the more traditional methods is amplified even further for the government.”