GSA releases policy allowing public to report website vulnerabilities

The General Services Administration’s Technology Transformation Service released a policy Tuesday that will grant people a legal way to detect and notify the agency of security vulnerabilities on a number of public-facing government websites.

The vulnerability disclosure policy allows people to check five GSA-run sites for vulnerabilities:

• vote.gov
• analytics.usa.gov
• calc.gsa.gov
• micropurchase.18f.gov
• 18f.gsa.gov

According to the blog post, the policy will soon include all TTS-operated systems.

Reports should include the vulnerability’s location and potential impact, the steps required to reproduce it and any other technical issues needed to recreate the issue.

The policy requires that a person keep any information about discovered vulnerabilities confidential for 90 days after notifying GSA.

“While our projects already adhere to strict security standards, we’re not perfect,” wrote 18F’s Kimber Dowsett in the blog post. “There will always be more expertise outside our organization than on the inside, and outside security researchers should feel just as welcome in raising a red flag as our own staff. What’s most important is that we protect the government’s systems and the information the public entrusts to them. We don’t care who submits a vulnerability, we just want to fix it as soon as possible.”

The policy is the second such guideline released by the government this week. The Defense Department released a similar policy on Monday, outlining how the public can disclose vulnerabilities in any of DOD’s public-facing systems.

The TTS policy differs from DOD’s in that it’s not attached to a bug bounty program. Currently, there is no monetary award attached to finding vulnerabilities on the listed GSA sites, however the policy gives an outline for how a potential bug bounty would work.

You can read the full disclosure policy on 18F’s website.