House Committee Forwards State Department Bug Bounty Bill

Rep. Ted Lieu, D-Calif.

Rep. Ted Lieu, D-Calif. Mark J. Terrill/AP File Photo

The ethical hacking competition is modeled on the Hack the Pentagon program.

The House Foreign Affairs Committee forwarded legislation Wednesday that would invite ethical hackers to probe State Department web systems for digital bugs.

The program, known as a bug bounty, would be modeled on similar cash rewards programs at the Pentagon, Army and Air Force. The bill passed on a voice vote.

Bug bounties are common at large technology companies but the U.S. government has been slower to adopt them.

Bug bounty proponents say that crowdsourcing bug hunting helps organizations to uncover far more digital vulnerabilities than they could by relying only on their own IT and security staffs.

Skeptics warn that bug bounties require a lot of time and money to manage and may be counterproductive if an organization isn’t already patching known computer vulnerabilities or doesn’t have the resources to vet and patch bug reports that come in.

A co-sponsor of the Hack Your State Department bill, Rep. Ted Lieu, D-Calif., said the bill would allow the department to “enlist the help of America’s top cybersecurity researchers to find weaknesses in our cybersecurity.”

House Foreign Affairs Chairman Ed Royce, R-Calif., cited a 2014 breach of the State Department email system as evidence the department must improve its cybersecurity.

The bill was also sponsored by Rep. Ted Yoho, R-Fla.

The bill requires the State Department to establish a vulnerability disclosure policy within six months and a bug bounty within one year.

Similar to bug bounties, vulnerability disclosure policies tell ethical hackers which systems they can probe for vulnerabilities without falling afoul of anti-hacking laws and who to contact when they find vulnerabilities. They don’t offer any cash rewards, though.

Hackers who participate in the bug bounty would have to be vetted by the State Department or a private company that was hired to run the bounty and would have to submit to background checks, according to the bill.

The bill also requires the State Department to report to Congress on how many digital bugs participants find and how long it takes the department to patch them.  

The committee also forwarded a U.S.-Israel cooperation bill Wednesday that would establish a grant program for cybersecurity research and development programs that are joint ventures between U.S. and Israeli organizations.