{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "TTS Bug Bounty Program: 3 Year Review |Digital.gov", "description": "TTS Bug Bounty Program: 3 Year Review", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2020/12/14/tts-bug-bounty-program-3-year-review/index.json","item" : [ {"title" :"TTS Bug Bounty Program: 3 Year Review","deck" : "We’re reflecting on our Bug Bounty program for the last 3 years and highlighting some lessons learned.","summary" : "We’re reflecting on our Bug Bounty program for the last 3 years and highlighting some lessons learned.","date" : "2020-12-14T10:56:00-05:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"alyssa-feola" : "Alyssa Feola","aidan-feldman" : "Aidan Feldman"},"topics" : { "crowdsourcing-and-citizen-science" : "Crowdsourcing and citizen science", "security" : "Security" },"primary_image" : { "uid" : "bug-bounty1", "alt" : "TTS Bug Bounty: 3 Year Review", "width" : "1280", "height" : "720", "credit" : "", "caption" : "", "format" : "png" },"branch" : "bc-archive-content-3", "filename" :"2020-12-11-tts-bug-bounty-program-3-year-review.md", "filepath" :"news/2020/12/2020-12-11-tts-bug-bounty-program-3-year-review.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2020/12/2020-12-11-tts-bug-bounty-program-3-year-review.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2020/12/2020-12-11-tts-bug-bounty-program-3-year-review.md","slug" : "tts-bug-bounty-program-3-year-review","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2020/12/14/tts-bug-bounty-program-3-year-review/","weight" : "1","content" :"\u003cp\u003eThe \u003ca href=\"https://hackerone.com/tts\"\u003eTechnology Transformation Services (TTS) Bug Bounty Program\u003c/a\u003e is one of the first of its kind. While \u003ca href=\"https://www.hackerone.com/hack-the-pentagon\"\u003eHack the Pentagon\u003c/a\u003e engagements are timebound, TTS was the first in government to operate an ongoing bug bounty program. Our program has been running for three years, and we wanted to use the milestone to share our experience!\u003c/p\u003e\n\u003cp\u003eAs described in the \u003ca href=\"https://cyber.dhs.gov/bod/20-01/\"\u003eBinding Operational Directive 20-01: Vulnerability Disclosure Policy\u003c/a\u003e:\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eIn bug bounty programs, organizations pay for valid and impactful findings of certain types of vulnerabilities in their systems or products. A financial reward can incentivize action, and may attract people who might not otherwise look for vulnerabilities.\u003c/em\u003e\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/bug-bounty-timeline.png\"alt=\"Timeline showing the evolution of government bug bounty programs starting in 2016 with the Department of Defense and ending in May of 2017 with TTS launches the bug bounty program.\"/\u003e\u003c/div\u003e\n\n\n\u003ch2 id=\"tts-bug-bounty-program-overview\"\u003eTTS Bug Bounty Program Overview\u003c/h2\u003e\n\u003cp\u003eThe TTS Bug Bounty runs on top of our \u003ca href=\"https://18f.gsa.gov/vulnerability-disclosure-policy/\"\u003evulnerability disclosure program\u003c/a\u003e, offering financial rewards for valid findings for a subset of our systems. Those bounties are an incentive for security researchers to spend time digging into our systems, finding problems and reporting them before a bad actor finds them and exploits them. Here’s how it works:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eA security researcher finds a vulnerability in one of our systems\u003c/li\u003e\n\u003cli\u003eThey submit to \u003ca href=\"https://hackerone.com/tts\"\u003eour program\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eThe triage team confirms that:\u003c/li\u003e\n\u003cli\u003eThe system is \u003ca href=\"https://hackerone.com/tts?type=team#scope\"\u003ein scope\u003c/a\u003e\n\u003cul\u003e\n\u003cli\u003eIf we believe the vulnerability may exist in other systems, we pass that information along to the system owners to proactively find and fix\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eThe finding is valid\u003c/li\u003e\n\u003cli\u003eWhat the severity rating should be, based on the \u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss\"\u003eCommon Vulnerability Scoring System (CVSS)\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eThe report is assigned to the system owners\u003c/li\u003e\n\u003cli\u003eThere may be back-and-forth for clarification, decision on whether it’s considered a security vulnerability or not, etc.\u003c/li\u003e\n\u003cli\u003eOnce validated, a bounty is awarded\u003c/li\u003e\n\u003cli\u003eThe system owners fix the issue\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eSuccessful programs receive dozens of reports per month, but on average, only about 10% of submissions turn out to be valid. All submissions need responses or else you risk alienating researchers.\u003c/p\u003e\n\u003cp\u003eThere is a Not To Exceed (NTE) bounty pool from which researchers are paid, ensuring that the cost of the program has an upper limit.\u003c/p\u003e\n\u003ch2 id=\"all-time-review\"\u003eAll Time Review:\u003c/h2\u003e\n\u003cp\u003eOn average, we receive 21 submissions per month. 18% of submissions are valid and unique vulnerabilities, which have an average award of $462.\u003c/p\u003e\n\u003cp\u003eSeverity breakdown:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e20% High or Critical\u003c/li\u003e\n\u003cli\u003e47% Medium\u003c/li\u003e\n\u003cli\u003e29% Low\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eWe value researchers’ contributions and are proud of our program’s responsiveness! On Average:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eReports receive a first response within nine hours and are triaged within four days.\u003c/li\u003e\n\u003cli\u003eResearchers receive bounty 15 days from the date of submission.\u003c/li\u003e\n\u003cli\u003eValid vulnerabilities are fixed within two months.\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/bug-bounty3.png\"alt=\"A line chart showing more than 280 bug bounty submissions in quarter 3 of 2017. Of which, around 40 were deemed valid. Subsequent submissions and validations were significantly less, with no more than 60 each quarter.\"/\u003e\u003c/div\u003e\n\n\n\u003ch2 id=\"year-1\"\u003eYear 1\u003c/h2\u003e\n\u003cp\u003eAs shown in the chart below, a majority of the submissions came at the onset of our public launch.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/bug-bounty2.png\"alt=\"Line chart showing bug bounty submission of more than 280 in quarter 3 of 2017.\"/\u003e\u003c/div\u003e\n\n\n\u003cp\u003eWe attribute this to getting press around the launch, as well as having systems that had not yet been scrutinized by outside security researchers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBounty Highlight\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eReport: \u003ca href=\"https://hackerone.com/reports/265528\"\u003e#265528\u003c/a\u003e, Reported: 9/2/2019, Asset: data.gov Weakness: Cross-site Scripting (XSS) - Reflected, Bounty: $300, Researcher: Dr. Jones (sp1d3rs)\u003c/p\u003e\n\u003cp\u003eDescription: A security researcher discovered \u003ca href=\"https://owasp.org/www-community/attacks/xss/\"\u003eCross-Site Scripting (XSS)\u003c/a\u003e issue on the data.gov site. The XSS worked only with few ‘\u0026amp;’ chars in certain places, identified by a trial-and-error method. The input appeared to be correctly sanitized without it. The discovered XSS issue was site-wide and affected 80+ endpoints.\u003c/p\u003e\n\u003ch2 id=\"year-2\"\u003eYear 2\u003c/h2\u003e\n\u003cp\u003eIn our second year, our rate of valid reports increased from 39% the prior year to almost 52%. We’ve attributed the spike in activity to updating the scope with a new asset that was widely distributed and drew more attention to our program.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/bug-bounty5.png\"alt=\"A line chart showing more than 280 bug bounty submissions in quarter 3 of 2017. Of which, around 40 were deemed valid. Subsequent submissions and validations were significantly less, with no more than 60 each quarter.\"/\u003e\u003c/div\u003e\n\n\n\u003cp\u003e\u003cstrong\u003eBounty Highlight\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eReport: \u003ca href=\"https://hackerone.com/reports/387007\"\u003e#387007\u003c/a\u003e, Reported: 7/26/2018, Asset: cloud.gov Weakness: Open Redirect, Bounty: $150, Researcher: Sergey Bobrov (bobrov)\u003c/p\u003e\n\u003cp\u003eDescription: It was found that \u003ca href=\"https://idp.fr.cloud.gov\"\u003ehttps://idp.fr.cloud.gov\u003c/a\u003e is vulnerable to an \u003ca href=\"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html\"\u003eopen redirect\u003c/a\u003e due to improper validation of the value of URL path. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.\u003c/p\u003e\n\u003ch2 id=\"year-3\"\u003eYear 3\u003c/h2\u003e\n\u003cp\u003eIn our third year, 30% of our valid reports had a high or critical \u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss\"\u003eCVSS rating\u003c/a\u003e, which contributed towards a justification for increasing internal staff to improve the system development life cycle.\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/bug-bounty4.png\"alt=\"A line chart showing an increase of bug bounty submissions to over 90 in quarter 2 of 2020.\"/\u003e\u003c/div\u003e\n\n\n\u003cp\u003e\u003cstrong\u003eBounty Highlight\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eReported: \u003ca href=\"https://hackerone.com/reports/514224\"\u003e#514224\u003c/a\u003e, 3/23/2019, Asset: search.gov, Weakness: Server-Side Request Forgery (SSRF), Bounty: $150, Researcher: Noriaki Iwasaki (niwasaki)\u003c/p\u003e\n\u003cp\u003eDescription: The search.gov endpoint was vulnerable to \u003ca href=\"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery\"\u003eSSRF\u003c/a\u003e via a URL parameter. The parameter is protected but could be bypassed using a Line Feed character (\u003ccode\u003e%0A\u003c/code\u003e). This may have allowed an attacker to poke on the internal network.\u003c/p\u003e\n\u003ch3 id=\"what-we-learned\"\u003eWhat we learned…\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eStaffing\u003c/strong\u003e — We started out with a rotating cohort of internal folks overseeing the program. Once the team grew and got more defined we switched to dedicated staff. This allows us to have consistent focus on the state and potential improvements to the program.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eEngagement\u003c/strong\u003e — The more we reached out to the crowd and sent messages, the more traction we got on our program. Researchers want to know what is going on with our program and see value in submitting bugs to an actively managed program.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRouting\u003c/strong\u003e — As the first public bug bounty program run by a civilian agency, we get around two reports per month intended for other agencies, because people don’t know where else to report. We worked with CISA on \u003ca href=\"https://cyber.dhs.gov/bod/20-01/\"\u003etheir Binding Operational Directive (BOD) for vulnerability disclosure\u003c/a\u003e so that other federal agencies can start programs of their own.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eEffort\u003c/strong\u003e — It really does take a village. There tend to be false positives: about 68% of all the reports we receive are not valid. We use third-party triage as part of our program, which means that we don’t have to worry about the reports until they’ve been verified. This helps to offload distraction from our team.\u003c/p\u003e\n\u003ch3 id=\"how-weve-iterated\"\u003eHow we’ve iterated…\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eVolume\u003c/strong\u003e — When a new system is added, there tend to be more reports up front, which then decreases to a more steady state. To mitigate that volume, we throttle the reports by starting systems out in a private bug bounty, which is only available to a small number of security researchers. (There are other ways to do this throttling—that’s just what works for us.) We also have a setting for signaling, a means of identifying hackers who have had consistently valid reports, so that we receive reports from more vetted researchers. After a time, we move systems to the public program to make it available to anyone to submit. We then increase the bounty rewards over time, to incentivize researchers to continue to investigate our systems.\u003c/p\u003e\n\u003ch3 id=\"where-we-plan-on-improving\"\u003eWhere we plan on improving…\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eTracking\u003c/strong\u003e — The Bug Bounty system we use provides an inbox for managing all the vulnerability reports we get across programs, but this is disconnected from project management tools that individual teams use. We want to better track both individual vulnerabilities and more general vulnerability classes for each program. For example, a reported cross-site scripting vulnerability must also generate a separate issue to find and fix all other related cross-site scripting vulnerabilities. Each project team then needs to track that resolution separately, and TTS wants visibility across all those systems.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eConsolidation\u003c/strong\u003e — We currently have our Bug Bounty run through a platform, while we also have a Google Form and email address for \u003ca href=\"https://18f.gsa.gov/vulnerability-disclosure-policy/#reporting-a-vulnerability\"\u003evulnerability disclosure\u003c/a\u003e. This means the latter don’t go through the same triage process, and we have to track reported vulnerabilities in three places. Having a single funnel for reporting (for a bounty or not) will make things easier for the program and more consistent for teams that are part of it.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eScope\u003c/strong\u003e — The TTS Bug Bounty program started with five programs in scope. The main programs that had priority were cloud.gov and login.gov. The three other slots were considered on a rotating basis and had a \u003ca href=\"https://github.com/18F/bug-bounty/blob/master/selection-process.md\"\u003eSelection Process\u003c/a\u003e to help determine which programs should be added. Currently, there are eight TTS systems under the Bug Bounty program. We have \u003ca href=\"https://github.com/18F/tts-tech-portfolio/issues/new?assignees=\u0026amp;labels=ATO\u0026amp;template=ato.md\u0026amp;title=ATO+for+%5Bsystem%5D+-+due+%5Bdate%5D\"\u003emade it a requirement\u003c/a\u003e for all new TTS systems going forward, and are working to \u003ca href=\"https://github.com/18F/bug-bounty/issues/34\"\u003eget all our existing systems in scope\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTTS has been very happy with the effectiveness and value of our Bug Bounty program. It is representative of the forward-thinking, civic tech-minded folks that are invested in working with the security researcher community. We hope to see more created at other agencies.\u003c/p\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eAre there other government agencies out there with bug bounty programs that we aren’t aware of? Let us know! \u003ca href=\"mailto:devops@gsa.gov\"\u003edevops@gsa.gov\u003c/a\u003e\u003c/strong\u003e\u003c/p\u003e\n"} ] }