TTS Bug Bounty
As part of its programmatic focus on security, the General Service Administration’s Technology Transformation Service (TTS) is pleased to welcome you to the first bug bounty program by a civilian federal agency. We look forward to working alongside skilled security researchers across the globe to help further improve the security posture of TTS-owned services.
As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement. The following criteria guide our thinking:
Common Practices: Wherever it makes sense, TTS desires to learn from and follow industry common practices in bounty programs. We will deviate only when there is a clear and specific need.
Competitive: We seek to provide competitive bounty amounts. Leveraging HackerOne platform data, new services will be introduced with median or higher reward levels and typically increase over time.
Open: Our intent is for each service to be open to public participation. We will start with private programs only as a stepping stone toward public.
Responsive: TTS is comprised of many autonomous technical teams. Only teams that commit to and maintain positive levels of responsiveness to researchers will be included.
Vulnerability Disclosure Policy
Participation in this program is governed by the Vulnerability Disclosure Policy (https://github.com/18F/vulnerability-disclosure-policy/blob/master/vulnerability-disclosure-policy.md) of the Technology Transformation Service. Please fully review the linked policy prior to your participation.
The bug bounty program of the Technology Transformation Service is special in that it aims to cover numerous individual services that been developed to address a diverse range of public use cases. Our strategy is to introduce services into scope at regular intervals. We offer tiered bounty levels based primarily on the length of time each service has been in scope.
| Severity¹ | Initial² | Standard³ |
| --- | --- | --- |
| Critical | $2,000 | TBD |
| High | $750 | TBD |
| Medium | $300 | TBD |
| Low | $150 | TBD |
¹ By default, Severity will be assessed according to CVSS v3.
² The initial bounty amounts for newly included services targets the 75th percentile award level based on current HackerOne platform data.
³ Services that have been in scope for a reasonable period of time graduate to higher award levels.
The Technology Transformation Service is comprised of many autonomous technical teams operating multiple of services. While the services below offer bounties, all others do not offer bounties. Please review this scope section carefully before proceeding. If you wish to be notified when additional services are introduced to scope, please click "Notify me of changes" at the bottom of this page.
* Description: Federalist is an open source static site web publishing service for the United States federal government. We are highly interested in vulnerabilities that impact the integrity of production content or enable a malicious user to impact sites outside of their granted permissions. To get started, we recommend How Federalist Works (https://federalist-docs.18f.gov/pages/how-federalist-works/) and instructions on Running Federalist Locally (https://federalist-docs.18f.gov/pages/how-federalist-works/running-federalist-locally/). The site at https://federalist-docs.18f.gov/ itself is a sample deployment of Federalist.
* Bounty Level: Initial ($150 - $2,000)
* Assets: federalist.18f.gov, federalist-proxy.app.cloud.gov, federalist-docs.18f.gov, 18F/federalist (https://github.com/18F/federalist), 18F/federalist-builder (https://github.com/18F/federalist-builder), 18F/federalist-proxy (https://github.com/18F/federalist-proxy), 18F/federalist-docker-build (https://github.com/18F/federalist-docker-build), 18F/docker-ruby-ubuntu (https://github.com/18F/docker-ruby-ubuntu)
* Description: While only the assets listed above are eligible for bounties, we welcome disclosures of vulnerabilities in wider set of assets through our Vulnerability Disclosure Policy. The full set of assets in scope for disclosure are listed below, and in our Vulnerability Disclosure Policy (https://github.com/18F/vulnerability-disclosure-policy/blob/master/vulnerability-disclosure-policy.md).
* Bounty Tier: Not Eligible
* Assets: Please see our Vulnerability Disclosure Policy (https://github.com/18F/vulnerability-disclosure-policy/blob/master/vulnerability-disclosure-policy.md) for the full list of assets covered by this policy.
If you submit a qualifying, validated vulnerability, you may be eligible to receive a bounty award subject to the terms below:
* We embrace open source software (https://18f.gsa.gov/open-source-policy/). While we welcome the submission of any vulnerability that impacts in-scope services, we may not be able to award a bounty for submissions where the root-cause vulnerability was introduced by an upstream library.
* You are not currently nor have been an employee or contractor of the U.S. General Services Administration (GSA) within 6 months prior to submission
* You are not a family or household member of an employee or contractor of the U.S. General Services Administration (GSA) as described above
* You must meet all HackerOne Bug Bounty eligibility requirements, such as not being subject to trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
Hall of Fame