US gov brews a bug bounty for all federal agencies

The US federal government’s main procurement agency is developing its own bug bounty to fit within the confines of existing federal procurement rules.

18F, a tech savvy unit of the US government’s chief procurement agency, the General Service Administration (GSA), is designing a bug bounty program that would offer hackers up to $3,500 for reporting bugs they found in agency systems.

Bug bounties have been used by many Silicon Valley firms and tech firms in other parts of the world, but remain experimental for traditional industries. Tesla, General Motors and United Airlines have opened bug bounties, but the concept of working with hackers who aren’t contractually bound to silence still clashes with many.

But times are changing. The US Department of Defense (DoD) launched ‘Hack the Pentagon’ in May. It used bug bounty service provider, Hacker One, to coordinate vulnerability disclosure and disseminate payments to hackers.

The DoD is offering cash rewards to pre-vetted hackers who report bugs in a specified set of public-facing websites.

The DoD’s bug bounty pilot is being driven by its Defense Digital Services (DDS), a relatively new unit which is tasked with exploring new methods of acquiring products and services.

Essentially, the DoD’s bounty — which is the first for any US federal agency — explores alternative procurement methods. Instead of committing to a contract after a tender process, it may buy an information security service from the first supplier, where the process of confirming a bug is actually a one has been outsourced to an external supplier.

The GSA 18F’s proposed bug bounty has similar ambitions to DoD in that it is exploring procurement outside the usual strictures of government procurement. However, 18F wants to establish a framework that would allow all federal agencies to participate.

Fed Scoop, which first reported 18F’s plan, notes the proposed program offers awards of less than $3,500 for anyone who finds and reports bugs, which sits within the federal government’s “micro-purchase” limit and is meant for items like office supplies.

For the bounty program, GSA’s 18F proposes that it would provide “advice, guidance, and even help resolving issues” but would not play “cops”, telling would-be participants that they need to track and resolve issues themselves. 18F expects agencies would resolve a reported issue within 90 days. (For a comparison, Google gives itself 90 days to resolve any issues discovered by its own Project Zero security researchers).

Agencies that are inclined to run a bug bounty on their software may still find it better to outsource to private sector providers. 18F notes that agencies would need to handle their own triage, tracking and communication, none of which are trivial tasks.

But 18F expects that any agency willing to participate wouldn’t spend more than 8 hours a week on managing the bounty.

“Generally, we think you should expect to spend on the order of 4-8 hours a week on bounty management tasks,” it said.