The General Services Administration’s 18F digital team is building a bug bounty program for use by other federal agencies, an agency spokesperson has confirmed.
The team’s page on open-source collaboration site GitHub, used to develop projects and programs in public, shows coding and documentation for a bounty program. These increasingly popular programs involve firms or other large enterprises offering hackers cash incentives to find and report cybersecurity flaws in their systems.
The Defense Department in April became the first federal entity to host a bug bounty program.
It appears 18F has designed the platform to host bounties as a service for other federal agencies — the project’s code features instructions for how other federal teams can participate in the 18F program. A key requirement involves agencies pledging they will manage the triage and tracking of submitted bugs. 18F will require agencies to resolve the reported issues within 90 days.
‘In a nutshell, the requirement comes down to this: you need to take accountability for fixing any reported issues in a reasonable time,’ the GitHub page says. ’18F’s bug bounty team is more than [happy] to provide advice, guidance, and even help resolving issues. However, we won’t play ‘cops’ — you need to be OK owning the responsibility of tracking and resolving issues.’
18F’s proposed service-level agreement focuses in on three different tiers of vulnerabilities, all of which will have corresponding payouts at or less than the $3,500 federal government’s micropurchase limit, typically used for acquisitions of small items like office supplies and equipment or travel tickets on charge cards.
The 18F team has been experimenting with micropurchase-based reverse auctions as a way to attract the talents of private sector developers for short-term software development projects without an intensive and arduous procurement cycle.
18F says it reserves the right to ‘adjust our rewards based on our assessment of severity and the quality of the report,’ and will only pay for bugs found within the specific sites eventually featured on the platform.
18F said it would not comment on the program’s specifics outside of the GitHub documentation until its launch date, which is not listed on the page.
It’s a ‘work in progress,’ the page says. ‘We’re working on it, but we’re not accepting bug bounty submissions yet. Please do not submit them here, or anywhere, until this gets officially launched!’
White hat hackers who want to participate in the eventual program will be subject to rules laid out on the GitHub page here.