As part of its programmatic focus on security, the General Services Administration’s Technology Transformation Services (TTS) is pleased to welcome you to the first bug bounty program by a civilian federal agency. We look forward to working alongside skilled security researchers across the globe to help further improve the security posture of TTS-owned services.
As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement. The following criteria guide our thinking:
Participation in this program is governed by the Vulnerability Disclosure Policy __of the Technology Transformation Service. Please fully review the linked policy prior to your participation.
The bug bounty program of the Technology Transformation Service is special in that it aims to cover numerous individual services that been developed to address a diverse range of public use cases. Our strategy is to introduce services into scope at regular intervals. We offer tiered bounty levels based primarily on the length of time each service has been in scope.
Severity¹ | Initial² | Standard³ | Login.gov Only
Critical | $2,000 | $5,000 | $5,000
High | $750 | $2,000 | $2,000
Medium | $300 | $750 | $300
Low | $150 | $250 | $150
¹ By default, Severity will be assessed according to CVSS v3.
² The initial bounty amounts for newly included services targets the 75th percentile award level based on current HackerOne platform data.
³ Services that have been in scope for a reasonable period of time graduate to higher award levels.
The Technology Transformation Service is comprised of many autonomous technical teams operating multiple of services. While the services below offer bounties, all others do not offer bounties. Please review this scope section carefully before proceeding. If you wish to be notified when additional services are introduced to scope, please click "Notify me of changes" at the bottom of this page.
Description: The core of cloud.gov is a Platform as a Service built specifically for government work. We are highly interested in vulnerabilities with an impact on the underlying platform or that lead to privilege escalation between customer environments. To get started, we recommend reviewing the cloud.gov overview __, documentation __, diagrams __, and code repositories __
Bounty Level: Initial ($150 - $2,000)
Description: login.gov is a single sign-on service offering the public secure and private access to participating government programs. We welcome external review of our privacy-protection measures. Our main application code is available for public inspection in an open-source repository __. Our goal: make sure that at every step users know their privacy is being protected by design. Our developer documentation __is a great place to get started. NOTE: If you encounter Personally Identifiable Information (PII) during your testing, please STOP and notify us immediately.
Description: While only the assets listed above are eligible for bounties, we welcome disclosures of vulnerabilities in wider set of assets through our Vulnerability Disclosure Policy. The full set of assets in scope for disclosure are listed below, and in our Vulnerability Disclosure Policy __.
Note: "subdomain hijacking" (taking control of a subdomain that was otherwise unused, such as by taking advantage of a dangling CNAME to a third party service provider) is in-scope for bounty awards, when the affected hostnames are within the second-level domains that appear in our in-scope list. These reports will always be considered low-severity unless there is further demonstrated impact.
Our goal with this program is fix issues with meaningful impact. Thus, we exclude certain types of issues because they have low (or no) security impact to us, and/or are known issues that we're comfortable with. These issues are unlikely to be eligible for an award, and will usually be considered invalid for the purposes of our program:
If you submit a qualifying, validated vulnerability, you may be eligible to receive a bounty award subject to the terms below:
Contact us if you want more information.