FireBounty U.S. General Services Administration Vulnerability Disclosure Program

Link to program

2021-03-29

Thank

Gift

HOF

Reward

U.S. General Services Administration

GSA Vulnerability Disclosure Policy

As a U.S. government agency, the General Services Administration (GSA) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure.

Security researchers should feel comfortable reporting vulnerabilities discovered, as defined in this policy, to afford GSA the opportunity to remediate the findings for the purpose of ensuring confidentiality, so we can fix them and keep our information safe.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Scope

This policy applies to the systems in the Scope section below.

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-federal systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren't sure whether a system or endpoint is in scope or not, contact HackerOne support before starting your research.

The following test types are not authorized:

User interface bugs or typos.
Network denial of service (DoS or DDoS) tests.
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
Brute Force Attacks against login interfaces

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately. Disclosure of the following may not be made to any third party:

Personally identifiable information
Financial information (e.g. credit card or bank account numbers)
Proprietary information or trade secrets of companies of any party

Guidelines

Security researchers shall:

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must stop your test and notify us immediately.
Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified GSA. For details, please review Coordinated Disclosure.

GSA is committed to acknowledging receipt of the report within 2 business days via the HackerOne platform.

Legal

You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

GSA does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-GSA entity (e.g., other Federal departments or agencies; State, local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-GSA third party may independently determine whether to pursue legal action or remedies related to such activities.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) GSA will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than GSA, GSA will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Reporting a Vulnerability

Note: We do not support PGP-encrypted emails. Do not share sensitive information through email. If you believe it is necessary to share sensitive information with us, please indicate as such on the report and GSA will reach out to establish a more secure method.

Reports should include:

Description of the location and potential impact of the vulnerability.
A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
Any technical information and related materials we would need to reproduce the issue.

Please keep your vulnerability reports current by sending us any new information as it becomes available.

We may share your vulnerability reports with US-CERT, as well as any affected vendors or open source projects.

Coordinated Disclosure

GSA is committed to patching vulnerabilities within 90 days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other's mistakes.

At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we request that you refrain from sharing your report with others while we work on our patch. If you believe there are others that should be informed of your report before the patch is available, please let us know so we can make arrangements.

We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose if you prefer. By default, we prefer to disclose everything, but we will never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.

In Scope

Scope Type	Scope Name
web_application	*.GSAADVANTAGE.GOV
web_application	*.IDMANAGEMENT.GOV
web_application	*.REGINFO.GOV
web_application	*.ROCIS.GOV
web_application	*.SECTION508.GOV
web_application	*.SFTOOL.GOV
web_application	SAM.GOV
web_application	BUYACCESSIBLE.GOV
web_application	www.sam.gov
web_application	portal.fas.gsa.gov
web_application	was.itss.gsa.gov
web_application	oasispet.gsa.gov
web_application	sws.gsa.gov
web_application	tams.gsa.gov
web_application	tams.preprod.gsa.gov
web_application	etsvendorsales.gsa.gov
web_application	hallways-staging.cap.gsa.gov
web_application	hallways.cap.gsa.gov
web_application	interact.gsa.gov
web_application	navigator.gsa.gov
web_application	p3.cap.gsa.gov
web_application	scopereview.gsa.gov
web_application	srp.fas.gsa.gov
web_application	tmss.gsa.gov
web_application	tmss.preprod-acqit.helix.gsa.gov
web_application	tscportal.fas.gsa.gov
web_application	vasalesportal.gsa.gov
web_application	drivethru.gsa.gov
web_application	autoauctions.gsa.gov
web_application	fms.fas.gsa.gov
web_application	arm.fas.gsa.gov
web_application	fmvrs.fas.gsa.gov
web_application	ffms.fas.gsa.gov
web_application	str.gsa.gov
web_application	amp.fas.gsa.gov
web_application	vehiclestdb.fas.gsa.gov
web_application	autovendorb.fas.gsa.gov
web_application	autochoiceb.fas.gsa.gov
web_application	roadsb.fas.gsa.gov
web_application	vehiclestd.fas.gsa.gov
web_application	autovendor.fas.gsa.gov
web_application	autochoice.fas.gsa.gov
web_application	roads.fas.gsa.gov
web_application	reportsportal.fas.gsa.gov
web_application	vehicledispatch.fas.gsa.gov
web_application	cars.fas.gsa.gov
web_application	fleet.gsa.gov/aiedecision/
web_application	drivethru.gsa.gov/vfe.htm
web_application	spdatawarehouse.fas.gsa.gov
web_application	gsaxcess.gov
web_application	computersforlearning.gov
web_application	smartpaybi.fas.gsa.gov/BOE/BI/
web_application	cops.fas.gsa.gov
web_application	cpsearch.fas.gsa.gov
web_application	eoffer.gsa.gov
web_application	extcws.fas.gsa.gov
web_application	gsaadvantage.gov
web_application	ebuy.gsa.gov
web_application	afadvantage.gov
web_application	dhsadvantage.gsa.gov
web_application	gsaglobalsupply.gsa.gov
web_application	usdaadvantage.gsa.gov
web_application	usmcservmart.gsa.gov
web_application	vaadvantage.gsa.gov
web_application	gsaelibrary.gsa.gov
web_application	asap.gsa.gov
web_application	poportal.gsa.gov
web_application	aacinquiry.fas.gsa.gov
web_application	8astars.fas.gsa.gov
web_application	gsaadvantage-cors.fas.gsa.gov
web_application	vsc.gsa.gov
web_application	ebuy-test.fas.gsa.gov
web_application	ebuyconnect.fas.gsa.gov
web_application	ebuyconnect-test.fas.gsa.gov
web_application	gsaadvantage-test.fas.gsa.gov
web_application	gsaadvantage-test2.fas.gsa.gov
web_application	gsaadvantage-test3.fas.gsa.gov
web_application	vscftp.gsa.gov
web_application	gsaadvantage.gsa.gov
web_application	gsadvantage.gsa.gov
web_application	*.cdo.gov
web_application	hrlinks.anywhere.gsa.gov
web_application	bm-hrlinks.anywhere.gsa.gov
web_application	tc-hrlinks.anywhere.gsa.gov
web_application	downloads.anywhere.gsa.gov
web_application	vdi.anywhere.gsa.gov
web_application	vdi-central.anywhere.gsa.gov
web_application	vdi-east.anywhere.gsa.gov
web_application	vdi-test.anywhere.gsa.gov
web_application	anywhere.gsa.gov
web_application	co-vpn.gsa.gov
web_application	ithelp.gsa.gov
web_application	mobile.anywhere.gsa.gov
web_application	ncr-vpn.gsa.gov
web_application	ncr.anywhere.gsa.gov
web_application	r06.anywhere.gsa.gov
web_application	r6-vpn.gsa.gov
web_application	r7-vpn.gsa.gov
web_application	secureauth.dev.gsa.gov
web_application	secureauth.gsa.gov
web_application	vpntest.gsa.gov
web_application	vpn.gsa.gov
web_application	vpntest2.gsa.gov
web_application	le.dms.gsa.gov
web_application	smartpay.gsa.gov
web_application	training.smartpay.gsa.gov
web_application	gsafinearts.pbs.gsa.gov
web_application	mysmartplans.gsa.gov
web_application	ncrrecycles.gsa.gov
web_application	publiccourts.gsa.gov
web_application	r2.gsa.gov
web_application	ilmt.pbs.gsa.gov
web_application	lmt.pbs.gsa.gov
web_application	pappcon1.pbs.gsa.gov
web_application	pappcon2.pbs.gsa.gov
web_application	tappcon1.pbs.gsa.gov
web_application	tappcon2.pbs.gsa.gov
web_application	uappcon1.pbs.gsa.gov
web_application	uappcon2.pbs.gsa.gov
web_application	ulmt.pbs.gsa.gov
web_application	api.sftool.gov
web_application	app.buyaccessible.gov
web_application	arch.idmanagement.gov
web_application	demo.sftool.gov
web_application	devicepki.idmanagement.gov
web_application	digitaldashboard.gov
web_application	fpki.idmanagement.gov
web_application	pacs.idmanagement.gov
web_application	piv.idmanagement.gov
web_application	pm.idmanagement.gov
web_application	registration.section508.gov
web_application	training.section508.gov
web_application	uat.digitaldashboard.gov
web_application	Alpha2.sam.gov
web_application	jss.gsa.gov
web_application	eoffer-test.fas.gsa.gov
web_application	CIO.GOV
web_application	CAO.GOV
web_application	CFO.GOV
web_application	CITIZENSCIENCE.GOV
web_application	CLOUD.GOV
web_application	CODE.GOV
web_application	COMPUTERSFORLEARNING.GOV
web_application	CONSUMERACTION.GOV
web_application	CONTRACTDIRECTORY.GOV
web_application	FEDRAMP.GOV
web_application	FEDROOMS.GOV
web_application	FIRSTGOV.GOV
web_application	FMI.GOV
web_application	FPC.GOV
web_application	FPDS.GOV
web_application	FPKI.GOV
web_application	FPKI-LAB.GOV
web_application	FSD.GOV
web_application	US.GOV
web_application	USA.GOV
web_application	USAGOV.GOV
web_application	USSM.GOV
web_application	VOTE.GOV
web_application	*.CAO.GOV
web_application	*.CFO.GOV
web_application	*.CITIZENSCIENCE.GOV
web_application	*.CLOUD.GOV
web_application	*.CONSUMERACTION.GOV
web_application	*.CONTRACTDIRECTORY.GOV
web_application	*.DATA.GOV
web_application	*.FEDROOMS.GOV
web_application	*.FIRSTGOV.GOV
web_application	*.FPC.GOV
web_application	*.FPDS.GOV
web_application	*.FPKI.GOV
web_application	*.FPKI-LAB.GOV
web_application	*.FSD.GOV
web_application	*.IDENTITYSANDBOX.GOV
web_application	*.LOGIN.GOV
web_application	*.SBST.GOV
web_application	*.US.GOV
web_application	*.USA.GOV
web_application	*.USAGOV.GOV
web_application	*.USSM.GOV
web_application	*.VOTE.GOV
web_application	18F.GOV
web_application	*.18F.GOV
web_application	ACCESSIBILITY.GOV
web_application	*.ACCESSIBILITY.GOV
web_application	ACQUISITION.GOV
web_application	BUSINESSUSA.GOV
web_application	*.BUSINESSUSA.GOV
web_application	api-alpha.sam.gov
web_application	dss.gsa.gov
web_application	dpa.gsa.gov
web_application	soa-ext.fas.gsa.gov
web_application	*.ptt.gov
web_application	ptt.gov
web_application	PCSCOTUS.GOV
web_application	*.PCSCOTUS.GOV
web_application	SaferFederalWorkforce.gov
web_application	FASCC.GSA.GOV)
web_application	gis.gsa.gov
web_application	indoors.gsa.gov
web_application	spdatawarehousebi.gsa.gov
web_application	pbrb.gov
web_application	fmi.gov
web_application	PPMS.GOV
web_application	charlie.sam.gov
web_application	grex.pbs.gsa.gov
web_application	travel.reporting.gov
web_application	property.reporting.gov
web_application	reporting.gov
web_application	fairs.reporting.gov
web_application	beta.property.reporting.gov
web_application	beta.travel.reporting.gov
web_application	leasing.gsa.gov
web_application	facadatabase.gov
web_application	realpropertyprofile.gov
web_application	beta.facadatabase.gov
web_application	frpg.gov
web_application	ask.gsa.gov
web_application	cmls.gsa.gov
web_application	disposal.gsa.gov
web_application	fedspecs.gsa.gov
web_application	ftp.gsa.gov
web_application	itjobs.open.gsa.gov
web_application	labs.gsa.gov
web_application	listserv.gsa.gov
web_application	lop.gsa.gov
web_application	rc.gsa.gov
web_application	usaccess-alp.gsa.gov
web_application	vec.gsa.gov
web_application	api.acquisition.gov
web_application	editor.acquisition.gov
web_application	editor.acquisition-uat.gsa.gov
web_application	acquisition-uat.gsa.gov
web_application	api.acquisition-uat.gsa.gov
web_application	training.reginfo.gov
web_application	rpa.gov
web_application	thenamingcommission.gov
web_application	madeinamerica.gov
web_application	fleet.fas.gsa.gov
web_application	fleet.gsa.gov
web_application	fleeteur.fas.gsa.gov
web_application	gsac0.fas.gsa.gov
web_application	gsacin.fas.gsa.gov
web_application	gsafleet2go.fas.gsa.gov
web_application	webservices.fas.gsa.gov
web_application	edms.gsa.gov
web_application	api-staging.ppms.gov
web_application	api.ppms.gov
web_application	staging.ppms.gov
web_application	ppms.gov
web_application	federalist-proxy.app.cloud.gov
web_application	account.fr.cloud.gov
web_application	ci.fr.cloud.gov
web_application	dashboard.fr.cloud.gov
web_application	login.fr.cloud.gov
web_application	logs.fr.cloud.gov
web_application	data.gov
web_application	federation.data.gov
web_application	sdg.data.gov
web_application	labs.data.gov
web_application	catalog.data.gov
web_application	inventory.data.gov
web_application	admin-catalog-bsp.data.gov
web_application	idp.fr.cloud.gov
web_application	admin.fr.cloud.gov
web_application	alertmanager.fr.cloud.gov
web_application	diagrams.fr.cloud.gov
web_application	grafana.fr.cloud.gov
web_application	logs-platform.fr.cloud.gov
web_application	nessus.fr.cloud.gov
web_application	opslogin.fr.cloud.gov
web_application	prometheus.fr.cloud.gov
web_application	ssh.fr.cloud.gov
web_application	api.fr.cloud.gov
web_application	api.data.gov
web_application	*.login.gov
web_application	dashboard-beta.fr.cloud.gov
web_application	tock.18f.gov
web_application	*.code.gov
web_application	fedramp.gov
web_application	marketplace.fedramp.gov
web_application	*.search.gov
web_application	usa.gov
web_application	analytics.usa.gov
web_application	search.usa.gov
web_application	federalist.18f.gov
web_application	cloud.gov
web_application	federalist-docs.18f.gov
web_application	fy21payments.gsa.gov
web_application	CHALLENGE.GOV
web_application	uat-subdomains.digitaldashboard.gov
web_application	acquisition-staging.gsa.gov
web_application	https://portal.forms.gov
web_application	https://submission.forms.gov/
web_application	https://sign.forms.gov
web_application	https://api.forms.gov/
web_application	https://portal-dev.forms.gov
web_application	https://submission-dev.forms.gov/
web_application	https://sign-dev.forms.gov
web_application	https://api-dev.forms.gov/
web_application	https://portal-test.forms.gov
web_application	https://submission-test.forms.gov/
web_application	https://sign-test.forms.gov
web_application	https://api-test.forms.gov/
web_application	discovery.gsa.gov
web_application	staging-tableau.d2d.gsa.gov
web_application	tableau.d2d.gsa.gov
web_application	d2d.gsa.gov
web_application	staging.d2d.gsa.gov
web_application	benchmarks.gsa.gov
web_application	fmvrsb.fas.gsa.gov
web_application	fmswseb.fas.gsa.gov
web_application	fleeteurb.fas.gsa.gov
web_application	fleetb.gsa.gov
web_application	ffmsb.fas.gsa.gov
web_application	drivethrub.gsa.gov
web_application	autochoice.gsa.gov
web_application	advantage.gsa.gov
web_application	aaapintsb.pbs.gsa.gov
web_application	aaapextsb.pbs.gsa.gov
web_application	css-staging.d2d.gsa.gov
web_application	css.d2d.gsa.gov
web_application	odc.d2d.gsa.gov
web_application	staging-odc.d2d.gsa.gov
web_application	tss-staging.d2d.gsa.gov
web_application	tss.d2d.gsa.gov
web_application	roadsviewb.fas.gsa.gov
web_application	eoffer-test2.fas.gsa.gov
web_application	gsafleet.gov
web_application	www.FMI.GOV
web_application	connect.gsa.gov
web_application	fas.connect.gsa.gov
web_application	gsa.gov
web_application	publicfrppdata.realpropertyprofile.gov
web_application	beta.usaccess-alp.gsa.gov
web_application	beta.OCRTitleVI.gsa.gov
web_application	evaluation.gov
web_application	telluride.gsa.gov
web_application	ncportal.fas.gsa.gov
web_application	ncportalt.fas.gsa.gov
web_application	ncportals.fas.gsa.gov
web_application	webshop.gsa.gov
web_application	aspdotnetstorefront.webshops.fas.gsa.gov
web_application	aspdotnetstorefront.webshopt.fas.gsa.gov
web_application	vcss.gsa.gov
web_application	vcss.ocfo.gsa.gov
web_application	calc.gsa.gov
web_application	finance.ocfo.gsa.gov/defaultexternal/
web_application	fedpay.gsa.gov
web_application	finance.ocfo.gsa.gov
web_application	financeweb.gsa.gov
web_application	cforeports.gsa.gov
web_application	fmitservices-external.gsa.gov/paymentsearch
web_application	financeweb.gsa.gov/vendorpayment
web_application	finance.ocfo.gsa.gov/webvendors
web_application	fmitservices-external.gsa.gov
web_application	finance.gsa.gov
web_application	*.FAI.GOV
web_application	regulations.gov
web_application	api.regulations.gov
web_application	origin-beta-staging.regulations.gov
web_application	outage.regulations.gov
web_application	resources.regulations.gov
web_application	staging.regulations.gov
web_application	test-api.regulations.gov
web_application	test-widget-examples.regulations.gov
web_application	test-widget.regulations.gov
web_application	test.regulations.gov
web_application	iolp.gsa.gov
web_application	slc.gsa.gov
web_application	frppmap.gsa.gov
web_application	epm.pbs.gsa.gov
web_application	cognos.pbs.gsa.gov
web_application	ask.fas.gsa.gov
web_application	extportal.pbs.gsa.gov/eOA
web_application	debits.fas.gsa.gov
web_application	certauth.adfsi.gsa.gov
web_application	certauth.adfss.gsa.gov
web_application	e04bmm-secauth6.ent.ds.gsa.gov
web_application	e04bmm-secauth7.ent.ds.gsa.gov
web_application	e04bmm-secauth8.ent.ds.gsa.gov
web_application	e04bmm-secauth9.ent.ds.gsa.gov
web_application	e04tcm-secauth6.ent.ds.gsa.gov
web_application	e04tcm-secauth7.ent.ds.gsa.gov
web_application	e04tcm-secauth8.ent.ds.gsa.gov
web_application	e04tcm-secauth9.ent.ds.gsa.gov
web_application	e07r7m-secauth6.ent.ds.gsa.gov
web_application	e07r7m-secauth7.ent.ds.gsa.gov
web_application	e07r7m-secauth8.ent.ds.gsa.gov
web_application	e07r7m-secauth9.ent.ds.gsa.gov
web_application	e04tcm-authdev3.ent.ds.gsa.gov
web_application	e04tcm-authdev4.ent.ds.gsa.gov
web_application	r05-voipedge.gsa.gov
web_application	lab-bm.anywhere.gsa.gov
web_application	finhrapps.anywhere.gsa.gov
web_application	tc-finhrapps.anywhere.gsa.gov
web_application	bm-finhrapps.anywhere.gsa.gov
web_application	apie.gsa.gov
web_application	staging.apie.gsa.gov
web_application	test.gsa.gov
web_application	mcm.fas.gsa.gov
web_application	cdo.gov
web_application	digital.gov
web_application	digitalgov.gov
web_application	ecpic.gov
web_application	esrs.gov
web_application	faca.gov
web_application	fai.gov
web_application	sftool.gov
web_application	fbf.gov
web_application	idmanagement.gov
web_application	login.gov
web_application	reginfo.gov
web_application	rocis.gov
web_application	search.gov
web_application	section508.gov
web_application	buyamerican.gov
web_application	*.buyamerican.gov
web_application	IDENTITYSANDBOX.GOV
web_application	sbst.gov

Out of Scope

Scope Type	Scope Name
web_application	CBCA.GOV
web_application	CFDA.GOV
web_application	CHALLENGES.GOV
web_application	CONNECT.GOV
web_application	CPARS.GOV
web_application	FORMS.GOV
web_application	FPISC.GOV
web_application	FRPG.GOV
web_application	WDOL.GOV
web_application	*.CBCA.GOV
web_application	*.CFDA.GOV
web_application	*.CHALLENGE.GOV
web_application	*.CHALLENGES.GOV
web_application	*.CODE.GOV
web_application	*.COMPUTERSFORLEARNING.GOV
web_application	*.CONNECT.GOV
web_application	*.CPARS.GOV
web_application	*.DIGITAL.GOV
web_application	*.DIGITALDASHBOARD.GOV
web_application	*.DIGITALGOV.GOV
web_application	*.DOTGOV.GOV
web_application	*.ECPIC.GOV
web_application	*.ESRS.GOV
web_application	*.EVERYKIDINAPARK.GOV
web_application	*.FACA.GOV
web_application	*.FACADATABASE.GOV
web_application	*.FAPISS.GOV
web_application	*.FBF.GOV
web_application	*.FBO.GOV
web_application	*.FDMS.GOV
web_application	*.FEDBIZOPPS.GOV
web_application	*.FEDIDCARD.GOV
web_application	*.FEDINFO.GOV
web_application	*.FEDRAMP.GOV
web_application	*.FORMS.GOV
web_application	*.FPISC.GOV
web_application	*.FRPG.GOV
web_application	*.FSRS.GOV
web_application	*.GOBIERNOUSA.GOV
web_application	*.GOVSALES.GOV
web_application	*.GSAAUCTIONS.GOV
web_application	*.GSAIG.GOV
web_application	*.GSATEST1.GOV
web_application	*.GSATEST2.GOV
web_application	*.GSAXCESS.GOV
web_application	*.HOWTO.GOV
web_application	*.INFO.GOV
web_application	*.INNOVATION.GOV
web_application	*.KIDS.GOV
web_application	*.NIC.GOV
web_application	*.PERFORMANCE.GOV
web_application	*.PIC.GOV
web_application	*.PIF.GOV
web_application	*.PKI.GOV
web_application	*.PKI-LAB.GOV
web_application	*.PLAINLANGUAGE.GOV
web_application	*.PPIRS.GOV
web_application	*.PRESIDENTIALINNOVATIONFELLOWS.GOV
web_application	*.PTT.GOV
web_application	*.REALESTATESALES.GOV
web_application	*.REALPROPERTYPROFILE.GOV
web_application	*.REGULATIONS.GOV
web_application	*.REPORTING.GOV
web_application	*.SANDBOX.GOV
web_application	*.SEARCH.GOV
web_application	*.WDOL.GOV
web_application	*.SAM.GOV
web_application	GSA.GOV
web_application	*.GSA.GOV
web_application	*.ACQUISITION.GOV
web_application	AFADVANTAGE.GOV
web_application	*.AFADVANTAGE.GOV
web_application	*.CIO.GOV
web_application	*.ITDASHBOARD.GOV
web_application	ALPHA.SAM.GOV
web_application	*.app.cloud.gov
web_application	*.cloud.gov
web_application	*.data.gov

This program crawled on the 2021-03-29 is sorted as bounty.

U.S. General Services Administration

In Scope

Out of Scope

FireBounty - Add your Vulnerability Disclosure Policy