|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
As part of its programmatic focus on security, the General Services Administration (GSA)'s Technology Transformation Services (TTS) is pleased to welcome you to the first bug bounty program by a civilian federal agency. We look forward to working alongside skilled security researchers across the globe to help further improve the security posture of TTS-owned services.
As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement. The following criteria guide our thinking:
Participation in this program is governed by the Vulnerability Disclosure Policy __of the Technology Transformation Service. Please fully review the linked policy prior to your participation.
The bug bounty program of the Technology Transformation Service is special in that it aims to cover numerous individual services that been developed to address a diverse range of public use cases. Our strategy is to introduce services into scope at regular intervals. We offer tiered bounty levels based primarily on the length of time each service has been in scope.
Severity¹ | Initial² | Standard³ | Login.gov Only
Critical | $2,000 | $5,000 | $5,000
High | $750 | $2,000 | $2,000
Medium | $300 | $750 | $300
Low | $150 | $250 | $150
¹ By default, Severity will be assessed according to CVSS v3.
² The initial bounty amounts for newly included services targets the 75th percentile award level based on current HackerOne platform data.
³ Services that have been in scope for a reasonable period of time graduate to higher award levels.
The Technology Transformation Service is comprised of many autonomous technical teams operating multiple of services. While the services below offer bounties, all others do not offer bounties. Please review this scope section carefully before proceeding. If you wish to be notified when additional services are introduced to scope, please click "Notify me of changes" at the bottom of this page.
Note: "subdomain hijacking" (taking control of a subdomain that was otherwise unused, such as by taking advantage of a dangling CNAME to a third party service provider) is in-scope for bounty awards, when the affected hostnames are within the second-level domains that appear in our in-scope list. These reports will always be considered low-severity unless there is further demonstrated impact.
Our goal with this program is fix issues with meaningful impact. Thus, we exclude certain types of issues because they have low (or no) security impact to us, and/or are known issues that we're comfortable with. These issues are unlikely to be eligible for an award, and will usually be considered invalid for the purposes of our program:
If you submit a qualifying, validated vulnerability, you may be eligible to receive a bounty award subject to the terms below: