GSA adds to its ongoing bug bounty program

The single sign-on platform is now included in a bug bounty program that GSA started last summer.

The General Services Administration’s Technology Transformation Service is asking friendly hackers to test the security of, the agency’s single sign-on platform for government.

The GSA bug bounty program, the first for a civilian agency, began in August last year as part of a broader effort to draw upon outside expertise to increase the security of a variety of services. Commercial bug bounty platform HackerOne, which has handled similar projects for the military, is managing the effort. At first all of the focus was on the 18F-built Federalist website publishing service, but TTS has opened up additional domains as “targets” over the intervening months.

Now, is fair game. is a government single sign-on project built cooperatively by 18F and the U.S. Digital Service — it allows users to sign into multiple government websites with the same email address and password combination. The service is currently used by government job application site USAJobs; by the U.S. Customs and Border Protection for its jobs site, its Trusted Traveler Program and its Outlying Area Reporting Stations app; and by the USDS for an internal tool.


When USAJobs signed on in February, the job board’s program manager Michelle Earley cited’s security as a decisive element in its favor. “A major reason USAJobs will be transitioning to is because it uses two-factor authentication, which will give users an extra layer of security to help protect their USAJobs profile against password compromises,” Earley said in a statement.

TTS will award bounties of between $150 and $5,000 for vulnerabilities found and disclosed in code.

TTS will continue to expand the domains included in the prize competition too —, and the main 18F domain are all still to be added.

Latest Podcasts