18F's parent organization won't pursue legal action against researchers who find vulnerabilities.
Internet users who find security flaws in some government tech projects no longer have to fear prosecution once they report those flaws, as per a new federal policy.
The Technology Transformation Service, the General Services Administration group that houses tech consultancy 18F, is inviting security researchers and the general public to test out its systems and then report security vulnerabilities they find directly to the federal government.
If outside groups examining TTS projects—Vote.gov, for instance—"make every effort" to not violate privacy or engage in "degradation of user experience" and the destruction of data, among other stipulations, GSA will not "initiate or recommend" legal action against them, according to a new TTS blog post.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Historically, some researchers have avoided reporting vulnerabilities to government for fear of being prosecuted under the Computer Fraud and Abuse Act, which prohibits "unauthorized use of information systems," according to that post.
TTS outlines that researchers who have made a "good faith effort" to comply with its policy will find their use "authorized."To comply, researchers must also not exploit the vulnerabilities they discover to exfiltrate data and cannot use methods such as phishing attempts or network denial-of-service tests.
TTS systems currently covered under the policy include Vote.gov and 18F.gov, an online experiment that allows agencies to buy pieces of code for small amounts of money directly from the coder. The group eventually plans to include all of its projects in the policy.
These programs "already adhere to strict security standards," but "we're not perfect," the post said. "There will always be more expertise outside our organization than on the inside, and outside security researchers should feel just as welcome in raising a 'red flag' as our own staff."
The Defense Department recently released its own vulnerability disclosure policy.