New 18F rules for bug hunters

The General Services Administration's Technology Transformation Service spelled out exactly how it wants security researchers to report vulnerabilities found on a variety of government systems.

Shutterstock image.

The Technology Transformation Service, which includes the innovation hub 18F, has spelled out how security researchers should report the vulnerabilities they discover on a variety of government systems.

The General Services Administration's TTS released a new policy that encourages researchers to report vulnerabilities without fear of prosecution so TTS can fix them in a timely fashion.

However, the guidance does not apply to all hacking efforts. The policy covers the following domains:,,, and Researchers who probe domains not listed in the guidance are not protected. In a recent blog post, 18F's Kimber Dowsett said officials plan to eventually include all agency-operated systems.

Researchers who come across personally identifiable, financial or proprietary government information are instructed to immediately alert TTS.

The guidelines also limit the use of exploits beyond what is necessary to verify a vulnerability, protect data confidentiality and avoid privacy violations. User interface bugs, denial-of-service tests and nontechnical vulnerability testing -- such as physical testing or social engineering -- are excluded from legal protection.

The policy states that all reports should include where the vulnerability was found, its potential impact, how to reproduce the vulnerability and any other helpful technical information.

TTS said it will accept reports submitted anonymously and might share the information with the U.S. Computer Emergency Readiness Team, affected parties and open-source projects.

Additionally, TTS has asked that security researchers wait 90 days before publicly disclosing a vulnerability.

The policy also states that if security researchers make a "good faith effort" to comply with its scope and guidelines, GSA will collaborate with researchers to resolve vulnerabilities and not pursue legal action.

TTS is not the first government agency to release a vulnerability reporting policy of this nature. The Defense Department recently unveiled a similar policy for all its public websites.