{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "The Next Step Towards a Bug Bounty Program for the Technology Transformation Service |Digital.gov", "description": "The Next Step Towards a Bug Bounty Program for the Technology Transformation Service", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2017/05/18/the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service/index.json","item" : [ {"title" :"The Next Step Towards a Bug Bounty Program for the Technology Transformation Service","summary" : "We took a big step toward creating a bug bounty program for our agency by issuing an award to HackerOne for a Software-as-a-Service bug-reporting platform.","date" : "2017-05-18T02:00:07-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"eric-mill" : "Eric Mill","omid-ghaffari-tabrizi" : "Omid Ghaffari-Tabrizi","waldo-jaquith" : "Waldo Jaquith"},"topics" : { "content-strategy" : "Content strategy", "product-and-project-management" : "Product and project management", "security" : "Security" },"branch" : "bc-archive-content-3", "filename" :"2017-05-18-the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service.md", "filepath" :"news/2017/05/2017-05-18-the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2017/05/2017-05-18-the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2017/05/2017-05-18-the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service.md","slug" : "the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2017/05/18/the-next-step-towards-a-bug-bounty-program-for-the-technology-transformation-service/","content" :"\u003cp\u003eOn May 9, we took a big step toward creating a bug bounty program for our agency by issuing an award to HackerOne for a Software-as-a-Service bug-reporting platform. The TTS Bug Bounty will be a security initiative to pay people for identifying bugs and security holes in software operated by the General Service Administration’s Technology Transformation Service (TTS), which includes 18F. This will be the first public bug bounty program run by a civilian agency, and follows in the footsteps of the \u003ca href=\"https://www.defense.gov/News/News-Releases/News-Release-View/Article/802929/defense-secretary-ash-carter-releases-hack-the-pentagon-results\"\u003eHack the Pentagon\u003c/a\u003e and \u003ca href=\"https://www.army.mil/article/178473/army_secretary_issues_challenge_with_hack_the_army_program\"\u003eHack the Army\u003c/a\u003e bug bounty programs run by the Department of Defense.\u003c/p\u003e\n\u003cp\u003eBefore launching the TTS Bug Bounty program, we issued the \u003ca href=\"https://18f.gsa.gov/vulnerability-disclosure-policy/\"\u003eTTS vulnerability disclosure policy\u003c/a\u003e in November. This policy outlines how researchers can report system vulnerabilities, while keeping personal and financial information safe. Bug bounties, which offer payouts for such reports, provide incentives for security researchers and other interested users to report security issues directly to the system owner through the use of financial rewards. \u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2017/05/600-x-400-2-72-dpi-Software-development-and-debugging-concept.-Bug-found-in-binary-code-vchal-iStock-Thinkstock-504819900.jpg\"\n alt=\"Software development and debugging concept. Bug found in binary code with magnifying glass.\"/\u003e\u003c/div\u003e\n\n\u003c/p\u003e\n\u003ch2 id=\"what-is-a-bug-bounty-program\"\u003eWhat is a “bug bounty” program?\u003c/h2\u003e\n\u003cp\u003eBug bounty programs have been operated by private companies since as early as 1983, with technology companies recognizing the enthusiasm of people who were fixing bugs and developing workarounds on their own. From the very beginning, these programs had a simple concept, and one that has stood the test of time: reward independent researchers for software bugs they discover, giving the owners time to fix them before they’re made public.\u003c/p\u003e\n\u003cp\u003eFor a number of years, few companies operated bug bounties, but the idea has come into its own since 2010, when the most well-known tech giants began to adopt it and launch bug bounty programs of their own. Today, hundreds of companies have requirements similar to ours, with most using one of the major commercial bug bounty providers, and a handful running their own bounty programs.\u003c/p\u003e\n\u003ch2 id=\"how-will-the-tts-bug-bounty-be-structured\"\u003eHow will the TTS Bug Bounty be structured?\u003c/h2\u003e\n\u003cp\u003eDraft solicitation documents to hire a private vendor to operate the bug bounty program were posted for review and comment on January 23. We used these drafts to gather input from experts from the private sector, as well as within government, and used the feedback to develop our final \u003ca href=\"https://github.com/18F/tts-buy-bug-bounty\"\u003esolicitation documents\u003c/a\u003e. Now that we’ve issued an award, HackerOne will work with us to set up bug bounties for several TTS public-facing web applications.\u003c/p\u003e\n\u003cp\u003eUpon receipt of a bug report, HackerOne will triage submissions first, determining both the validity and severity of the reported bug. Valid bugs will be sent to TTS and the appropriate team in charge of the web application will correct the issue. Anyone from a high school student with an interest in coding to a major security research firm with hundreds of employees can look for bugs and, if successful in their hunt, obtain a payout ranging from $300 to $5,000.\u003c/p\u003e\n\u003ch2 id=\"what-comes-next\"\u003eWhat comes next?\u003c/h2\u003e\n\u003cp\u003eSecurity bug bounties provide many benefits to organizations that offer them:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eProvide an officially-sanctioned channel for users to report security issues\u003c/li\u003e\n\u003cli\u003eIncentivize independent researchers to use their expertise to improve the organization’s security posture\u003c/li\u003e\n\u003cli\u003eBring a broader base of expertise into play by opening up research to experts outside the organization\u003c/li\u003e\n\u003cli\u003eComplement traditional security reviews and penetration tests by making security review an ongoing, iterative process\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eWith bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own. With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eThis post was originally published on the \u003ca href=\"https://18f.gsa.gov/2017/05/11/the-next-steps-towards-bug-bounty-program-for-technology-transformation-service/\"\u003e18F blog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n"} ] }