Over the past two weeks, hackers have been welcome to probe the 18F-built Federalist website publishing service, and so far the government has paid out $1,400 for their efforts.
It’s the first time a civilian agency has used a bug bounty platform to let members of the general public find website vulnerabilities. The program, which began Aug. 25, is part of a broader effort by the General Service Administration’s Technology Transformation Service to draw upon outside expertise to increase the security of a variety of services. Bug bounty platform HackerOne, which has handled similar projects for the military, is managing the effort.
Although TTS has plans to expand the bug bounty, Federalist is getting all the attention for now. (It has no relationship to the media site The Federalist.)
Federalist’s domain and its source code are currently the only TTS projects in the scope of the competition, but organizers plan to introduce additional targets “at regular intervals,” HackerOne’s program page says, including parts of login.gov, data.gov, vote.gov and more.
TTS is offering “competitive” bounties for vulnerabilities — $150 for the lowest level and up to $2,000 for critical level.
The military pioneered this kind of program in government. In April 2016 the Department of Defense launched Hack the Pentagon, the first federal bug bounty program. The pilot was quickly expanded to include Hack the Army and Hack the Air Force.
TTS isn’t just looking for help with Federalist’s code. It’s also hoping to use this initial bug bounty program to take constructive criticism about how to improve the overall process.
“As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement,” the HackerOne description reads.