GSA adds login.gov to its ongoing bug bounty program

(iStockPhoto)

Share

Written by

The General Services Administration’s Technology Transformation Service is asking friendly hackers to test the security of login.gov, the agency’s single sign-on platform for government.

The GSA bug bounty program, the first for a civilian agency, began in August last year as part of a broader effort to draw upon outside expertise to increase the security of a variety of services. Commercial bug bounty platform HackerOne, which has handled similar projects for the military, is managing the effort. At first all of the focus was on the 18F-built Federalist website publishing service, but TTS has opened up additional domains as “targets” over the intervening months.

Now, login.gov is fair game.

Login.gov is a government single sign-on project built cooperatively by 18F and the U.S. Digital Service — it allows users to sign into multiple government websites with the same email address and password combination. The service is currently used by government job application site USAJobs; by the U.S. Customs and Border Protection for its jobs site, its Trusted Traveler Program and its Outlying Area Reporting Stations app; and by the USDS for an internal tool.

When USAJobs signed on in February, the job board’s program manager Michelle Earley cited Login.gov’s security as a decisive element in its favor. “A major reason USAJobs will be transitioning to login.gov is because it uses two-factor authentication, which will give users an extra layer of security to help protect their USAJobs profile against password compromises,” Earley said in a statement.

TTS will award bounties of between $150 and $5,000 for vulnerabilities found and disclosed in login.gov code.

TTS will continue to expand the domains included in the prize competition too — vote.gov, analytics.usa.gov and the main 18F domain are all still to be added.

-In this Story-

18F, bug bounty, General Services Administration, Hacker One, login.gov, Technology Transformation Service
TwitterFacebookLinkedInRedditGoogle Gmail