This Web-Building Tool is the Target of Civilian Government’s First Bug Bounty


GSA’s tech unit is paying up to $5,000 to security researchers who find exploitable flaws in its Federalist tool.

A government-friendly website building tool is the first target for a General Services Administration program that recruits freelance cybersecurity researchers to root out vulnerabilities in government tech systems.

GSA’s Technology Transformation Service loosed a select group of invite-only ethical hackers on its Federalist web building platform earlier this year and later opened it up to all the hackers registered in TTS’s bug bounty program, TTS Technical Lead Laura Gerhardt said Wednesday.

TTS hoped to root out the most concerning vulnerabilities during the non-public portion of the bounty program, but “we actually had not as many vulnerabilities as we thought we would,” Gerhardt said during a cybersecurity summit hosted by the government tech publication FCW.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Hackers in the bug bounty program must be registered with HackerOne, the company that’s managing the TTS bug bounty program and several other government bug bounties.

TTS plans to open up other tools to the security researchers soon, Gerhardt said.

The TTS program, which launched in May, is the first fully-open civilian bug bounty program in government. Similar pilot programs have been run by the Pentagon, Army and Air Force.

The IRS contracted with the company Synack on a non-public bug-hunting program that allows the tax agency to more closely track researchers.

Bug bounties are cash awards for independent security researchers who spot exploitable flaws in an organization’s software that the organization’s own developers missed. The awards are scaled based on how damaging the vulnerability would be if non-ethical hackers exploited it.

In TTS’s case, the awards range from $300 at the bottom end of the scale to $5,000 at the top. Some private-sector organizations pay significantly more. During its pilot program, the Pentagon paid $15,000 for one particularly dangerous flaw.

TTS’s Federalist tool launched in non-beta form in June. It allows federal web developers to host new sites in computer clouds that meet government security requirements and provides web templates that meet government standards, including accessibility standards for people who are blind or have limited vision.

Other federal agencies considering bug bounty programs should first ensure they have enough developers on staff to fix all the vulnerabilities that are reported to them, Gerhardt recommended.

Even if agencies don’t launch bug bounties, she said, they should develop clear disclosure guidelines so security researchers who find bugs know who to contact.