GSA Tech Office Launches Bug Bounty Program


This is the first civilian government program that pays ethical hackers to search out digital bugs.

The cybersecurity company that ran a bug bounty program for the Army and is running ongoing programs for the Pentagon and Air Force will run a similar program for the government’s technology user experience wing, that office announced Friday.

The program run by HackerOne will offer cash rewards ranging from $300 to $5,000 to security researchers who spot dangerous vulnerabilities in websites and applications run by the General Services Administration’s Technology Transformation Service.

TTS did not give a start date for the program.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

It will be one of the first civilian government implementation of a cybersecurity concept embraced by top tech companies including Google and Amazon.  

The general idea is that an organization’s internal security staff is unlikely to find every exploitable bug in its systems so it’s a good idea to incentivize ethical hackers to uncover them before their nefarious cousins do.

The technology service’s tech tiger team 18F released a vulnerability disclosure policy in November and began the solicitation process that resulted in HackerOne getting the contract in January.

The disclosure policy requires researchers only exploit TTS sites to the extent necessary to confirm they’re vulnerable and bars them from stealing any data or changing systems. Researchers also must keep any information they glean from hacking TTS sites confidential for 90 days after notifying the office.

The contract covers a trial period, but TTS’s goal is to establish “a permanent program that involves most—if not all—TTS-owned websites and web applications,” the service said.

A trial of the HackerOne-run Hack the Pentagon program turned up 1,189 bugs in Defense Department systems and resulted in $75,000 in payouts to hackers. The Hack the Army program turned up 118 bug reports that the service patched and resulted in about $100,000 in payouts.

The Hack the Air Force program begins May 30.