US gov brews a bug bounty for all federal agencies

The US federal government’s main procurement agency is developing its own bug bounty to fit within the confines of existing federal procurement rules.

18F, a tech savvy unit of the US government’s chief procurement agency, the General Service Administration (GSA), is designing a bug bounty program that would offer hackers up to $3,500 for reporting bugs they found in agency systems.

Bug bounties have been used by many Silicon Valley firms and tech firms in other parts of the world, but remain experimental for traditional industries. Tesla, General Motors and United Airlines have opened bug bounties, but the concept of working with hackers who aren’t contractually bound to silence still clashes with many.

But times are changing. The US Department of Defense (DoD) launched ‘Hack the Pentagon’ in May. It used bug bounty service provider, Hacker One, to coordinate vulnerability disclosure and disseminate payments to hackers.

The DoD is offering cash rewards to pre-vetted hackers who report bugs in a specified set of public-facing websites.

The DoD’s bug bounty pilot is being driven by its Defense Digital Services (DDS), a relatively new unit which is tasked with exploring new methods of acquiring products and services.

Essentially, the DoD’s bounty — which is the first for any US federal agency — explores alternative procurement methods. Instead of committing to a contract after a tender process, it may buy an information security service from the first supplier, where the process of confirming a bug is actually a one has been outsourced to an external supplier.

The GSA 18F’s proposed bug bounty has similar ambitions to DoD in that it is exploring procurement outside the usual strictures of government procurement. However, 18F wants to establish a framework that would allow all federal agencies to participate.

Fed Scoop, which first reported 18F’s plan, notes the proposed program offers awards of less than $3,500 for anyone who finds and reports bugs, which sits within the federal government’s “micro-purchase” limit and is meant for items like office supplies.

For the bounty program, GSA’s 18F proposes that it would provide “advice, guidance, and even help resolving issues” but would not play “cops”, telling would-be participants that they need to track and resolve issues themselves. 18F expects agencies would resolve a reported issue within 90 days. (For a comparison, Google gives itself 90 days to resolve any issues discovered by its own Project Zero security researchers).

Agencies that are inclined to run a bug bounty on their software may still find it better to outsource to private sector providers. 18F notes that agencies would need to handle their own triage, tracking and communication, none of which are trivial tasks.

But 18F expects that any agency willing to participate wouldn’t spend more than 8 hours a week on managing the bounty.

“Generally, we think you should expect to spend on the order of 4-8 hours a week on bounty management tasks,” it said.

Join the CSO newsletter!

Error: Please check your email address.

Tags USA governmentHack the pentagonBug bountyDoDDDS18Fvunerablitiesgsafederal agenciesbug trackingsilicon valley

More about GoogleTeslaUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts