The General Services Administration’s Technology Transformation Service is asking friendly hackers to test the security of login.gov, the agency’s single sign-on platform for government.
The GSA bug bounty program, the first for a civilian agency, began in August last year as part of a broader effort to draw upon outside expertise to increase the security of a variety of services. Commercial bug bounty platform HackerOne, which has handled similar projects for the military, is managing the effort. At first all of the focus was on the 18F-built Federalist website publishing service, but TTS has opened up additional domains as “targets” over the intervening months.
Login.gov is a government single sign-on project built cooperatively by 18F and the U.S. Digital Service — it allows users to sign into multiple government websites with the same email address and password combination. The service is currently used by government job application site USAJobs; by the U.S. Customs and Border Protection for its jobs site, its Trusted Traveler Program and its Outlying Area Reporting Stations app; and by the USDS for an internal tool.
When USAJobs signed on in February, the job board’s program manager Michelle Earley cited Login.gov’s security as a decisive element in its favor. “A major reason USAJobs will be transitioning to login.gov is because it uses two-factor authentication, which will give users an extra layer of security to help protect their USAJobs profile against password compromises,” Earley said in a statement.
TTS will award bounties of between $150 and $5,000 for vulnerabilities found and disclosed in login.gov code.
TTS will continue to expand the domains included in the prize competition too — vote.gov, analytics.usa.gov and the main 18F domain are all still to be added.