GSA Adds to Sweeping Bug Bounty Program


Participants can win between $150 and $5,000 for each bug they find.

The General Services Administration is inviting ethical hackers to break into the sign-on portal for citizens applying for government jobs and accessing federal programs.

The agency on Wednesday added to its sweeping public bug bounty program, offering anyone who discovers a security gap within the site potentially thousands of dollars in prize money. The site offers citizens a way to access a variety of federal programs using a single username and password, and today some 7 million people go through the site to apply for federal jobs, expedite the airport security process and do business with the government.

The GSA’s Technology Transformation Service kicked off the bug bounty with cybersecurity research platform HackerOne in August, which the office said marks the first such program at a civilian agency. The initiative originally centered on Federalist, a platform agencies could use to build custom websites, but over the last year expanded to include, and now

Bug bounty programs recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major problems capable of corrupting the entire network or exposing sensitive information, and rewards vary based on the severity of the problem.

Participants can win between $150 and $5,000 for each bug they find in GSA has already awarded nearly $21,000 in bounties through the program.

Bug bounties offer agencies a relatively inexpensive way to bolster network security, and they’ve become particularly popular at the Defense Department, where hackers have disclosed hundreds of vulnerabilities in systems within the Pentagon, Air Force and Army. The department is currently considering a broad contract that would enable vendors to host short- and long-term bounty programs across the enterprise.

Some lawmakers have sponsored bills mandating bug bounties at the Homeland Security and State departments. Experts, however, warn crowdsourced initiatives can’t serve as a replacement for robust in-house cybersecurity teams. Organizing bug bounty programs is a resource-intensive task, and some argue those would be better spent expanding existing security efforts.