GSA close to launching bug bounty

The General Services Administration appears another step closer to joining the growing trend in the federal government of agencies enlisting white-hat hackers to seek out network vulnerabilities for a nice chunk of change.

GSA’s Technology Transformation Service issued a draft solicitation through an open source GitHub project earlier this year looking for potential experienced vendors to help it establish its own bug bounty program. The service requested feedback from interested parties by Jan. 30.

Bug bounties — programs that invite security researchers to hunt for vulnerabilities in an organization’s networks or systems in exchange for a prize —are increasingly popular in the federal government after the Defense Department and the Army saw early successes hosting them.

“As part of its programmatic focus on security, TTS needs to purchase access to a pre-existing, commercially available Bug Bounty SaaS [software-as-a-service] Platform that will allow it to launch and manage the TTS Bug Bounty program,” the draft solicitation’s performance work statement says.

GSA — specifically its 18F digital services team, which is now housed in the TTS organization — has been toying around with the idea of a bug bounty program in some capacity for quite a while. The 18F team began working on a bug bounty pilot as a service for other agencies in early 2016, though that specific project appears to have never moved past early planning stages.

With the help of a contractor under this new program, TTS will invite researchers to look for vulnerabilities in “TTS-owned web applications.” That contractor would also “triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities, and explain the reasons behind rejections,” the service says on its GitHub draft solicitation.

On the GitHub page, GSA lays out a proposed pricing structure of payouts: $300 for low-risk vulnerabilities, $1,000 for medium-risk vulnerabilities, and $5,000 for high-risk vulnerabilities, anticipating “6 low-risk, 1 medium-risk, and 1 high-risk payout per month” for the three-month base period of the firm-fixed-price contract. Though it’s not set in stone, GSA says there could be two optional three-month periods as well. Otherwise, interested contractors will submit offers for GSA’s total cost to use of their platform for the bounty.

TTS essentially says the bigger and more experienced the bug bounty vendor, the better it will be in offering its established pool of security researchers to find more vulnerabilities.

“By the very nature of a bug bounty program, a contractor that provides a Bug Bounty SaaS Platform that can achieve the goals of TTS while providing the best value to the government must be one that is well-established,” the draft performance work statement says. “The more well-known the provider of a Bug Bounty SaaS Platform, the larger and more talented the pool of security researchers they have in their community. The larger the community of security researchers in the Bug Bounty SaaS Platform provider’s network, the better the chance TTS has of finding bugs and technical issues within their web applications.”

GSA says it’s already “begun the approval process for the three known contractors in the industry.” A number of bug bounty platform companies have developed in recent years, like HackerOne —which operated the DOD and Army programs — Synack and Bugcrowd, though GSA did not respond to questions about which companies it had contacted and others prior to publication.

HackerOne was the only company to publicly submit questions on the GitHub project. CTO Alex Rice told FedScoop that TTS — like the Pentagon before it as a precursor to the Army’s bug bounty — is displaying best practices that other agencies around the federal government can easily replicate, beginning with the issuance of a vulnerability disclosure policy.

“Once you’ve done one of the vulnerability disclosure programs, it is quite common to see it be followed by bug bounty programs in relatively short order. So that’s what I think we’re seeing here,” Rice said. “What they’re essentially doing is creating a blueprint here for how anyone really anywhere can implement one of these programs.”

Moreover, by developing this acquisition in the open on GitHub and thoroughly crafting it with language that provides for “maximum flexibility,” the HackerOne CTO said, TTS is making this a user-friendly model for partner agencies to grab, adapt and implement to fit their own needs.

“They are kind of pioneering and breaking new ground with doing it through this federal contracting process,” Rice said. “And the lessons learned from 18F and the DOD doing this are making these programs accessible to every government agency out there. So I think we’ll see a fast follow with others reusing their work and leveraging the existing benefits there, particularly with the overhead associated with procurement in the federal government, the cost savings of crowdsourced security versus the more traditional methods is amplified even further for the government.”

Like many of the projects 18F and TTS develop, the bug bounty may appear initially to be for the agency’s exclusive benefit, but its real value is as a proof of concept for the rest of government, Rice believes.

“To me, I look at something like this in its early stages and the real benefits to this are that it should result in a repeatable process that almost any agency could go adopt through their contracting process,” he said. “The thoroughness of the proposal means that people going through the process shouldn’t have to redo that work.”  

GSA’ TTS anticipates an award date around April 6, and the awarded contractor would begin the program within 10 days of that.