Cybersecurity

New 18F rules for bug hunters

Shutterstock image. 

The Technology Transformation Service, which includes the innovation hub 18F, has spelled out how security researchers should report the vulnerabilities they discover on a variety of government systems.

The General Services Administration's TTS released a new policy that encourages researchers to report vulnerabilities without fear of prosecution so TTS can fix them in a timely fashion.

However, the guidance does not apply to all hacking efforts. The policy covers the following domains: vote.gov, analytics.usa.gov, calc.gsa.gov, micropurchase.18f.gov and 18f.gsa.gov. Researchers who probe domains not listed in the guidance are not protected. In a recent blog post, 18F's Kimber Dowsett said officials plan to eventually include all agency-operated systems.

Researchers who come across personally identifiable, financial or proprietary government information are instructed to immediately alert TTS.

The guidelines also limit the use of exploits beyond what is necessary to verify a vulnerability, protect data confidentiality and avoid privacy violations. User interface bugs, denial-of-service tests and nontechnical vulnerability testing -- such as physical testing or social engineering -- are excluded from legal protection.

The policy states that all reports should include where the vulnerability was found, its potential impact, how to reproduce the vulnerability and any other helpful technical information.

TTS said it will accept reports submitted anonymously and might share the information with the U.S. Computer Emergency Readiness Team, affected parties and open-source projects.

Additionally, TTS has asked that security researchers wait 90 days before publicly disclosing a vulnerability.

The policy also states that if security researchers make a "good faith effort" to comply with its scope and guidelines, GSA will collaborate with researchers to resolve vulnerabilities and not pursue legal action.

TTS is not the first government agency to release a vulnerability reporting policy of this nature. The Defense Department recently unveiled a similar policy for all its public websites.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Comment
    customer experience (garagestock/Shutterstock.com)

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected