Reps. Ted Lieu, D-Calif., and Ted Yoho, R-Fla., introduced a bill March 21, 2018, that directs the State Department to develop vulnerability disclosure and bug bounty programs to address the cyber weaknesses of public-facing State networks and data systems.
The Hack Your State Department Act would require that the Secretary of State establish guidelines and processes for a vulnerability disclosure program that enables security researchers to uncover and report gaps in department systems within 180 days of the bill’s enactment.
The Secretary of State must then submit to Congress a report on the number of vulnerabilities disclosed and the average time to close them within 180 days of the VDP’s establishment and once each year for the next six years.
A leader from the Hack the Pentagon bug bounty program describes the challenges associated with bringing bug bounties to the rest of the federal government.
The State Department would also have to establish a bug bounty program, similar to that of the Department of Defense’s Hack the Pentagon program conducted in 2016. This would include providing compensation to newly reported vulnerabilities, contracting a company to manage the program and developing a registration process for security researchers wishing to participate.
“I’m proud of this bill because the vulnerability disclosure and bug bounty programs are innovative ways to solve what is one of our government’s most pressing concerns: data security. By capitalizing on the skills of some of the best minds in cybersecurity, as well as the general public, we’ll be able to make sure the State Department is able to safely and securely continue its mission as America’s voice abroad,” said Lieu.
The original Hack the Pentagon program, which was stood up by the Defense Digital Service, was considered a huge success after uncovering 138 unique weaknesses in the DoD’s public-facing websites.
Since then, a Hack the Air Force program has also garnered significant results.
“Hack the State Department enables us to effectively identify our vulnerabilities and use the brightest cybersecurity minds to strengthen our defenses. Cyber threats are constantly evolving, and our cyber defenses must evolve with them,” said Yoho.
Lieu also sponsored a Hack the Department of Homeland Security Act in June 2017 with a companion bill in the Senate, though neither has seen a floor vote in that time.