The General Services Administration is offering the first bounty from a civilian federal agency to encourage outsiders to detect computer bugs.
The bounties will initially range from $150 for a minor bug to $2,000 for a critical flaw.
The bounty, under GSA’s Technology Transformation Service (TTS), will follow several basic guidelines, such as conforming to industry common practices for bounties, and offering competitive rewards. “Leveraging HackerOne platform data, new services will be introduced with median or higher reward levels and typically increase over time,” said the GSA announcement.
“We look forward to working alongside skilled security researchers across the globe to help further improve the security posture of TTS-owned services,” GSA said. But not surprisingly, the rewards come with a few strings.
Only some TTS services are eligible, such as the Federalist web publishing service. Bounty hunters cannot have been GSA employers or contractors — or a family member of the same — within the last six months. And as for open-source software, “while we welcome the submission of any vulnerability that impacts in-scope services, we may not be able to award a bounty for submissions where the root-cause vulnerability was introduced by an upstream library,” said GSA.