New 18F rules for bug hunters

Shutterstock image. 

The Technology Transformation Service, which includes the innovation hub 18F, has spelled out how security researchers should report the vulnerabilities they discover on a variety of government systems.

The General Services Administration's TTS released a new policy that encourages researchers to report vulnerabilities without fear of prosecution so TTS can fix them in a timely fashion.

However, the guidance does not apply to all hacking efforts. The policy covers the following domains:,,, and Researchers who probe domains not listed in the guidance are not protected. In a recent blog post, 18F's Kimber Dowsett said officials plan to eventually include all agency-operated systems.

Researchers who come across personally identifiable, financial or proprietary government information are instructed to immediately alert TTS.

The guidelines also limit the use of exploits beyond what is necessary to verify a vulnerability, protect data confidentiality and avoid privacy violations. User interface bugs, denial-of-service tests and nontechnical vulnerability testing -- such as physical testing or social engineering -- are excluded from legal protection.

The policy states that all reports should include where the vulnerability was found, its potential impact, how to reproduce the vulnerability and any other helpful technical information.

TTS said it will accept reports submitted anonymously and might share the information with the U.S. Computer Emergency Readiness Team, affected parties and open-source projects.

Additionally, TTS has asked that security researchers wait 90 days before publicly disclosing a vulnerability.

The policy also states that if security researchers make a "good faith effort" to comply with its scope and guidelines, GSA will collaborate with researchers to resolve vulnerabilities and not pursue legal action.

TTS is not the first government agency to release a vulnerability reporting policy of this nature. The Defense Department recently unveiled a similar policy for all its public websites.

About the Author

Chase Gunter is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.