Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
25/08/2017
TTS Bug Bounty logo
Thanks
Gift
Hall of Fame
Reward

Reward

150 $ 

In Scope

Scope Type Scope Name
web_application https://data.gov
web_application https://federalist-proxy.app.cloud.gov
web_application https://admin-catalog-bsp.data.gov
web_application https://login.fr.cloud.gov/
web_application https://static.data.gov
web_application https://logs.fr.cloud.gov
web_application https://github.com/GSA/datagov-deploy
web_application https://inventory.data.gov
web_application https://account.fr.cloud.gov
web_application https://ci.fr.cloud.gov
web_application https://federation.data.gov
web_application tock.18f.gov
web_application *.search.usa.gov
web_application https://idp.fr.cloud.gov
web_application *.login.gov
web_application dashboard-beta.fr.cloud.gov
web_application https://catalog.data.gov
web_application https://api.data.gov
web_application https://www.data.gov
web_application https://sdg.data.gov
web_application https://dashboard.fr.cloud.gov
web_application https://labs.data.gov
web_application api.fr.cloud.gov
web_application ssh.fr.cloud.gov
web_application https://prometheus.fr.cloud.gov
web_application https://opslogin.fr.cloud.gov
web_application https://nessus.fr.cloud.gov
web_application https://logs-platform.fr.cloud.gov
web_application https://grafana.fr.cloud.gov
web_application https://diagrams.fr.cloud.gov
web_application https://alertmanager.fr.cloud.gov
web_application https://admin.fr.cloud.gov
web_application https://github.com/GSA/data.gov
web_application https://cloud.gov
web_application https://federalist.18f.gov
web_application https://federalist-docs.18f.gov
web_application https://github.com/18F/identity-sp-sinatra
web_application https://github.com/18F/identity-sp-python
web_application https://github.com/18F/federalist-docker-build
web_application https://github.com/18F/federalist
web_application https://github.com/18F/docker-ruby-ubuntu
web_application https://github.com/18F/identity-sp-java
web_application https://github.com/18F/federalist-proxy
web_application https://github.com/18F/federalist-builder
web_application https://github.com/18F/identity-sp-rails
web_application https://github.com/18F/identity-idp
web_application https://analytics.usa.gov
web_application https://vote.gov
web_application https://18f.gsa.gov
web_application https://manage.data.gov
web_application *.search.gov
web_application *.code.gov
web_application marketplace.fedramp.gov
web_application www.fedramp.gov

Out of Scope

Scope Type Scope Name
other https://www.data.gov/applications/ __
web_application *.data.gov
web_application *.cloud.gov
web_application *.app.cloud.gov

TTS Bug Bounty

TTS Bug Bounty

As part of its programmatic focus on security, the General Services Administration (GSA)'s Technology Transformation Services (TTS) is pleased to welcome you to the first bug bounty program by a civilian federal agency. We look forward to working alongside skilled security researchers across the globe to help further improve the security posture of TTS-owned services.

Philosophy

As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement. The following criteria guide our thinking:

  • Common Practices: Wherever it makes sense, TTS desires to learn from and follow industry common practices in bounty programs. We will deviate only when there is a clear and specific need.
  • Competitive: We seek to provide competitive bounty amounts. Leveraging HackerOne platform data, new services will be introduced with median or higher reward levels and typically increase over time.
  • Open: Our intent is for each service to be open to public participation. We will start with private programs only as a stepping stone toward public.
  • Responsive: TTS is comprised of many autonomous technical teams. Only teams that commit to and maintain positive levels of responsiveness to researchers will be included.

Vulnerability Disclosure Policy

Participation in this program is governed by the Vulnerability Disclosure Policy __of the Technology Transformation Service. Please fully review the linked policy prior to your participation.

Bug Bounty

The bug bounty program of the Technology Transformation Service is special in that it aims to cover numerous individual services that been developed to address a diverse range of public use cases. Our strategy is to introduce services into scope at regular intervals. We offer tiered bounty levels based primarily on the length of time each service has been in scope.

Severity¹ | Initial² | Standard³ | Login.gov Only
---|---|---|---
Critical | $2,000 | $5,000 | $5,000
High | $750 | $2,000 | $2,000
Medium | $300 | $750 | $300
Low | $150 | $250 | $150

¹ By default, Severity will be assessed according to CVSS v3.
² The initial bounty amounts for newly included services targets the 75th percentile award level based on current HackerOne platform data.
³ Services that have been in scope for a reasonable period of time graduate to higher award levels.

Scope

The Technology Transformation Service is comprised of many autonomous technical teams operating multiple of services. While the services below offer bounties, all others do not offer bounties. Please review this scope section carefully before proceeding. If you wish to be notified when additional services are introduced to scope, please click "Notify me of changes" at the bottom of this page.

  1. cloud.gov
    • Description: The core of cloud.gov is a Platform as a Service built specifically for government work. We are highly interested in vulnerabilities with an impact on the underlying platform or that lead to privilege escalation between customer environments. To get started, we recommend reviewing the cloud.gov overview __, documentation __, diagrams __, and code repositories __
    • Bounty Level: Initial ($150 - $2,000)
    • Assets: cloud.gov, account.fr.cloud.gov, admin.fr.cloud.gov, alertmanager.fr.cloud.gov, api.fr.cloud.gov, ci.fr.cloud.gov, dashboard.fr.cloud.gov, diagrams.fr.cloud.gov, grafana.fr.cloud.gov, idp.fr.cloud.gov, login.fr.cloud.gov, logs.fr.cloud.gov, logs-platform.fr.cloud.gov, nessus.fr.cloud.gov, opslogin.fr.cloud.gov, prometheus.fr.cloud.gov, ssh.fr.cloud.gov, dashboard-beta.fr.cloud.gov
  2. code.gov
    • Description: The Federal Source Code Policy is designed to support reuse and public access to custom-developed Federal source code. It requires new custom-developed source code developed specifically by or for the Federal Government to be made available for sharing and re-use across all Federal agencies. It also includes an Open Source Pilot Program that requires agencies to release at least 20% of new custom-developed Federal source code to the public.
    • Bounty Level: Initial ($150 - $2,000)
    • Assets: *.code.gov
  3. data.gov
    • Description: Data.gov is a rich resource for civic hackers, tech entrepreneurs, data scientists, and developers of all stripes. We are highly interested in vulnerabilities that may impact the integrity of any data, such as any issues with our Data Harvesting __processes. As an open data platform, there is negligible confidential information hosted on data.gov.
    • Bounty Level: Initial ($150 - $2,000)
    • Assets: www.data.gov __, api.data.gov, federation.data.gov, sdg.data.gov, labs.data.gov, catalog.data.gov, inventory.data.gov, static.data.gov, admin-catalog-bsp.data.gov, GSA/data.gov __, GSA/datagov-deploy __
  4. Federalist
  5. fedramp.gov
    • Description: The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.
    • Bounty Level: Initial ($150 - $2,000)
    • Assets: www.fedramp.gov, marketplace.fedramp.gov
  6. login.gov
  7. search.gov
    • Description: Powering over 2,000 search boxes on Federal websites. Check out the Help Manual __to get started learning about this service.
    • Bounty Level: Initial ($150 - $2,000)
    • Assets: *.search.gov *.search.usa.gov
  8. Vulnerability Disclosure
    • Description: While only the assets listed above are eligible for bounties, we welcome disclosures of vulnerabilities in wider set of assets through our Vulnerability Disclosure Policy. The full set of assets in scope for disclosure are listed below, and in our Vulnerability Disclosure Policy __.
    • Bounty Tier: Not Eligible
    • Assets: Please see our Vulnerability Disclosure Policy __for the full list of assets covered by this policy.

Note: "subdomain hijacking" (taking control of a subdomain that was otherwise unused, such as by taking advantage of a dangling CNAME to a third party service provider) is in-scope for bounty awards, when the affected hostnames are within the second-level domains that appear in our in-scope list. These reports will always be considered low-severity unless there is further demonstrated impact.

Exclusions and known issues

Our goal with this program is fix issues with meaningful impact. Thus, we exclude certain types of issues because they have low (or no) security impact to us, and/or are known issues that we're comfortable with. These issues are unlikely to be eligible for an award, and will usually be considered invalid for the purposes of our program:

  • Violations of secure design principles that are not part of exploitable vulnerabilities
  • Missing SPF/DKIM/DMARC entries.
  • CSRF on forms available to anonymous users (e.g., contact forms)
  • Logout CSRF
  • HTTP/TLS configuration issues without demonstrable impact, such as:
    • TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites, etc.
    • Missing HTTP security headers
    • Lack of Secure or HTTPOnly cookie flags
  • Non-sensitive information disclosure (i.e., server versions, software stack, etc) on error message pages, 404 pages, and so forth.
  • Presence (or absence) of application/browser autocomplete or save-password flags.
  • Username enumeration on login or forgot password pages.
  • Reports about missing rate limiting where other mitigations exists (for example, brute force attacks against login pages already protected by MFA).
  • Lack of "security speedbumps" when leaving sites/applications.
  • Clickjacking attacks that don't lead to any sensitive state stages.
  • HTTP OPTIONS/TRACE methods enabled.
  • Overly broad permissions on editing wikis (or other non-software non-production areas) associated with our source code repositories.
  • Use of a known-vulnerable library without evidence of exploitability

Eligibility

If you submit a qualifying, validated vulnerability, you may be eligible to receive a bounty award subject to the terms below:

  • We embrace open source software __. While we welcome the submission of any vulnerability that impacts in-scope services, we may not be able to award a bounty for submissions where the root-cause vulnerability was introduced by an upstream library.
  • You are not currently nor have been an employee or contractor of the U.S. General Services Administration (GSA) within 6 months prior to submission
  • You are not a family or household member of an employee or contractor of the U.S. General Services Administration (GSA) as described above
  • You must meet all HackerOne Bug Bounty eligibility requirements, such as not being subject to trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).

FireBounty © 2015-2019

Legal notices